A Process Algebraic View of I/O Automata 
by 
Roberto Segala 


B.S., Computer Science 
University of Pisa - Italy 
(1991) 

Diploma in Computer Science 
Scuola Normale Superiore - Pisa 


(1991) 


Submitted to the Department of Electrical Engineering and Computer Science 
in partial fulfillment of the requirements for the degree of 


Master of Science in Electrical Engineering and Computer Science 
at the 
MASSACHUSETTS INSTITUTE OF TECHNOLOGY 
June 1992 


(© Massachusetts Institute of Technology 1992 


Signature of Author 
Department of Electrical Engineering and Computer Science 
September 8, 1994 


Certified by. 
Nancy A. Lynch 


Professor of Computer Science 
Thesis Supervisor 


Accepted by 
Campbell L. Searle 


Chairman, Departmental Committee on Graduate Students 


A Process Algebraic View of I/O Automata 
by 
Roberto Segala 


Submitted to the Department of Electrical Engineering and Computer Science 
on September 8, 1994, in partial fulfillment of the 
requirements for the degree of 


Master of Science in Electrical Engineering and Computer Science 


Abstract 


The Input/Output Automata formalism of Lynch and Tuttle is a widely used framework for 
the specification and verification of concurrent algorithms. Unfortunately, it has never been 
provided with an algebraic characterization, a formalization which has been fundamental for 
the success of theories like CSP, CCS and ACP. We present a many-sorted algebra for I/O 
Automata that takes into account notions such as interface, input enabling, and local control. It 
is sufficiently expressive for representing all finitely branching transition systems, hence all I/O 
automata with a finitely branching transition relation. Our presentation includes a complete 
axiomatization of the quiescent preorder relation over recursion free processes with input and 
output. Finally, we give some example specifications and use them to show the methodology 
of verification based on our algebraic approach. 
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Chapter 1 


Introduction 


The Input/Output Automata [LT87, Sta84, Jon85, Jon87] is a widely used and deeply inves- 
tigated formalism for specifying and verifying concurrent systems. Unfortunately, it has never 
been provided with an algebraic characterization, a mathematical formalization that has been 
fundamental for the success of theories like CSP, CCS and ACP [Hoa85, Mil89, Hen88, BW90]. 
The goal of this thesis is to improve our understanding of the intricacies of I/O automata by 
describing them as a process algebraic theory. This will permit algebraic manipulation and pro- 
vide an alternative to the commonly used verification method based on possibilities mapping. 

We start by designing an algebra that incorporates the fundamental features of I/O au- 
tomata of Lynch and Tuttle [LT87] and captures the essential role of concurrent composition, 
hiding and renaming of I/O automata. Our design aims at maintaining minimality of operators 
and universal expressivity with respect to the I/O automata we can represent. We base our 


characterization on the following basic features of I/O automata: 
1. explicit interfacing: a transition-invariant interface is associated with each process; 


2. input/output distinction: a clear distinction is made between output actions that are 


locally controlled and input actions that are globally controlled; 
3. input enabling: input actions are enabled in every state; 


4. local control: each action is under the control of at most one process. 


Clearly this list is not exhaustive, and for the sake of simplicity we choose at this stage to avoid 
considering important issues such as fairness. 

The operators in our calculus associate distinct sets of input and output actions (interfaces) 
with each process. This captures a critical aspect of I/O automata, namely the distinction 
between input and output actions. To associate an interface to a process we use many-sorted 
algebras: each sort stands for an interface. This permits dealing with partial operators in a 
clean way. As an example consider the parallel composition operator. To comply with the 
requirement that each action is under the control of at most one process, two processes that 
have common output actions cannot be composed in parallel. Many-sorted algebras permit 
capturing this restriction by defining the parallel operator as a family of sorted operators, one 
for each pair of compatible interfaces. 

Our research continues a line of investigation initiated by Vaandrager in [Vaa91]. That 
investigation was deliberately done in a simple setting where no explicit interface is associated 
to processes, and in which input enabling is obtained by means of self loops. No axiomatization 
was proposed in [Vaa91]. Indeed, the behavioral relation we use for comparing systems is the 
quiescent preorder of [Vaa91] (definition 2.2.4 of chapter 2). The main idea of the quiescent 
preorder is that a quiescent trace leads system to a state from which only input actions are 
enabled. Moreover the preorder is given by external and quiescent trace inclusion. The quiescent 
preorder is a restriction to finite traces of the fair preorder of [LT87], and we see it as a stepping 
stone toward the study of fairness sensitive semantics. 

An important property we require of our calculus is substitutivity of the quiescent preorder. 
One of our guides for achieving substitutivity is again [Vaa91] where, in the style of [De 84, 
De 85b, GV89, BIM90], restrictions to the inference rules of a generic Structured Operational 
Semantics [Plo81] are investigated to guarantee substitutivity of the quiescent and fair preorders. 
Our calculus, however, does not completely fit Vaandrager’s format and thus new congruence 
proofs are needed. 

A key issue in defining our I/0 calculus is the way input enabling is enforced. We present 
our choice with the support of an example. Consider process P = a.e, which is able to perform 
an action a and then behave like e. If the system is input enabled, the above process must be 


able to perform any other input action different from a. We considered two different possible 


choices, 


1. Angelic: Unexpected inputs are ignored and give rise to self-loops. For example, system 
P=a.e, after accepting any input b different from a, behaves as before, and is ready to 


accept the a-action. 


2. Demonic: Unexpected inputs are considered as catastrophic; after any unexpected input 
a system moves to a special state 2 from which any behavior is possible. Thus, P = a.e, 


after any b-action different from a, moves to 2. 


The Angelic choice was made by Vaandrager in [Vaa91]; here, we support the Demonic one. In 
our view, the prefixing operator specifies the behavior of P only for action @ and says nothing 
about input actions different from it. By interpreting this in the field of I/O automata we 
have that an implementation of P should be correct independently of the behavior it exhibits 
when provided with any input action different from a. Since the relation we use to compare 
processes is the quiescent preorder, moving to a special state 2 from which any behavior is 
possible makes the above interpretation possible. Due to this basic choice, our calculus will be 
called the Demonic calculus of [/O Automata (DIOA). 

This demonic approach has been partially influenced by the Receptive Process Theory (RPT) 
of Mark Josephs [Jos92]. However, the semantics of RPT provided by Mark Josephs is deno- 
tational, and like CSP, is described by means of sets of failures, traces and divergencies. The 
handling of underspecification is even more demonic than ours; underspecification is propagated 
backward, i.e., if a process P can perform an output action o and move to the equivalent of an 
Q state, then the whole P is equivalent to 2. 

For DIOA, we propose a set of sound algebraic laws that are complete with respect to the 
quiescent preorder for recursion-free processes. The completeness result is achieved through 
reduction to a special normal form in which the parallel operator is used in a restricted way. 
Particularly important for our result is an operator representing internal choice. It does not fit 
Vaandrager’s general format and forces us to prove substitutivity of our preorder explicitly. 

We give a dual view of the algebraic laws: from one point of view a law is a theorem about 
I/O automata; from the other point of view a law is a statement about the relationship between 


two syntactic entities. The dual view of the laws has the advantage of separating the properties 


of the model chosen for DIOA (I/O automata) from the properties based on the syntactic 
structure of the expressions. The main difference between the two points of view lies in the way 
that side conditions are defined, i.e., in the way in which the conditions for the validity of a law 
are expressed: according to the first point of view a side condition is defined in terms of the 
semantics associated with an expression; according to the second point of view a side condition 
is defined in terms of the syntactic structure of an expression. 

Finally, we present two simple example specifications and implementations within DIOA in 
which the quiescent preorder is used as an implementation relation and we outline a method- 
ology for verification based on our algebraic laws. The examples suggest an alternative to the 
commonly used verification method based on possibilities mapping and show that, in some 
cases, algebraic reasoning might be simpler than directly searching for a mapping between 
states of processes. 

The rest of the thesis is organized as follows: Chapter 2 contains some preliminary defini- 
tions; Chapter 3 presents the Demonic Calculus of I/O Automata; Chapter 4 presents a set 
of algebraic theorems for DIOA, corresponding to the first point of view of the algebraic laws; 
Chapter 5 provides an axiomatization of the quiescent preorder over DIOA expressions that is 
complete for recursion-free processes; Chapter 6 presents some example specifications; Chapter 
7 presents some concluding remarks and some suggestions for further work. The end of the 
thesis contains an appendix with the formal definition of DIOA and the complete list of the 


axioms that are introduced in chapters 4 and 5. 


Chapter 2 


Preliminaries 


In this chapter we give a general introduction to the formalisms we are comparing. Section 
2.1 formally introduces I/O automata giving their definition together with some of the main 
features and some of the commonly used preorder relations. Section 2.2 introduces process 
algebras and other new preorder relations. The preorder relations of Section 2.2 are the process 


algebraic version of the relations presented in Section 2.1. 


2.1 I/O automata 


In this section we formally introduce I/O automata whose complete formal definition is given 
in [LT87]. One of the basic concepts is the notion of action signature. Basically an action 


signature represents the interface of an automaton with the external environment. 


Definition 2.1.1 (action signature) Given three disjoint sets in, out and int we refer to the 
triple (in, owt, int) as an action signature S. The sets in, out and int are respectively denoted 
by in($), out(S') and int(S'). The entire set of actions in U out Uint is denoted by acts(.$). The 
set of external actions in Uout is denoted by ext(S). Finally the set of locally controlled actions 


int U out is denoted by local(S). = 


We can now formally define an I/O automaton. 


Definition 2.1.2 (input-output automaton) An input-output automaton A is a tuple A = 


(Q,Qo, 5, t, P) where 
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e Q is a set of states and is referred to as states( A), 
¢ Qo C Q is the set of start states and is referred to as start(A), 


e Sis an action signature and is referred to as sig(A), 


e tC Q x acts($) x Q with the property that V¢ € Q,a € in(S) dq € Q: (¢,4,7') €t. It is 


referred to as steps(A), and 


e Pisa partition of local(S) and is referred to as part(A). 
A step (q,4,q) € steps(A) is conventionally denoted by ¢g —— ¢. a 


The difference between classical automata and I/O automata is essentially in the differen- 
tiation of the actions given by the action signature, the constraint that the transition relation 
is always defined for input actions, and the presence of the partition P of the locally controlled 
actions. We will discuss the role of P when introducing the notion of fair execution. For the 


moment we concentrate on executions. 


Definition 2.1.3 (executions and schedules) Given an automaton A, an execution frag- 
ment is a finite sequence godoq, ---G@gqy or infinite sequence goaog,a1qg2--- of alternating states 
and actions such that (q,a:,441) € steps(A) for every 7. An execution is an execution frag- 
ment beginning with a start state (ie., qo € start(A)). The schedule of an execution z is the 
subsequence of actions appearing in a. It is denoted by sched(x). The executions and schedules 


of an automaton A are denoted respectively by execs(A) and scheds(A). = 


Usually it is necessary to deal with subsets of an automaton’s executions or schedules. For 
this reason we define the notion of execution module and schedule module. The basic idea 
is that an execution module simply represents a set of executions while a schedule module 


represents a set of schedules. 


Definition 2.1.4 (execution and schedule modules) An execution module F is a triple 
E = (Q,5,e) where Q is a set of states, S is an action signature and e is a set of executions 
with actions in acts(S') and states in Q. They are referred to as states( El), sig( E) and execs( I). 

A schedule module C is a pair C = (S$,c) where S$’ is an action signature and c is a set of 


schedules with actions in acts($). They are referred to as sig(C) and scheds(C). = 
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Given an automaton A there is a natural execution module Execs( A) associated with it. 


Execs( A) = (states( A), sig( A), execs(A)). 


Given an execution module F there is a natural schedule module Scheds( £) associated with it. 


Scheds( I’) = (sig(E), scheds(F)). 


I/O automata, execution modules and schedule modules are collectively referred to as objects 
and denoted by O. 


As a last step, we restrict the observation of an automaton to its external actions. 


Definition 2.1.5 (external schedule module) An ezternal action signature is an action sig- 
nature consisting only of external actions. An external schedule module is a schedule module 
with an external action signature. 

The external action signature of a signature S is (in($), out(5'),@), ie., 9 without internal 
actions; given a sequence y of actions and a set of actions X we denote by y[X the subsequence 
of y consisting only of actions of X. 

The external schedule module of an object O, denoted by External(O), is the external 
schedule module with the external action signature of O and the schedules {y[ext(O) : y € 
Scheds(O)}. = 


We can now define the first notion of equivalence for I/O automata. 


Definition 2.1.6 (unfair equivalence) The unfair behavior of an object O, which is denoted 
by Ubeh(O), is the external schedule module External(O). Two objects O and P are said to 
be unfairly equivalent, O =u P, iff Ubeh(O) = Ubeh(P). a 


This relation is an equivalence relation and turns out to be a congruence for the operators 
defined over objects. There are three operations defined over objects: hiding, renaming and 


parallel composition. 


Definition 2.1.7 (hiding) Given an object O and a set of actions J : [Nin(O) = 0, we define 
the object Hide;(O) to be the object differing from O in that 
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e out( Hide;(O)) = out(O)\I, and 


e int( Hide;(O)) = int(O) U (acts(O) 0 I). 


The effect of the hiding operator is to hide some locally controlled actions to the external 
environment. The only difference from the argument of the operator and its resulting object 
is that the signature is changed. Executions and schedules are exactly the same. Clearly 
external schedules change. The definition of the hiding operator of [LT87] does not contain the 
restriction that [MN in(O) = @, but it is immediate to observe that the operator is not closed for 
1/0 automata if we allow to hide input actions: part(A) would not be a partition of local(A) 


any more. 


Definition 2.1.8 (renaming) An injective mapping f is applicable to an object O if acts(O) C 
dom(f). Given an automaton A and a mapping f applicable to A we define f(A) to be 
(Q,Qo, 5,t, P) where 


e Q = states(A), Qo = start(A), 
e in(S) = f(in(A)), out(S) = f(out(A)), int(S) = f(int(A)), 
e t= {(¢, f(a), q) : (¢,4,q') € steps( A)}, and 


© P= {(f(a), f(a’) : (a,a’) € part(A)}. 


The definition above can be easily reformulated for execution modules and schedule modules. 


The effect of the renaming operator is simply to rename actions. 


Definition 2.1.9 (composition of I/O automata) A set of action signatures {5; : i € I} 


is called compatible iff for all 7,7 € I we have 
1. out(.S;) N out(S;) = 0, and 
2. int($;) M acts($;) = 0. 
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In general the objects {O; : i € O} are compatible iff their action signatures are compatible. 
The composition $ = [];-, 5; of compatible action signatures {5; : 7 € I} is defined to be the 


action signature with 


1. in(S) = (J in(S;) — LJ out(5;), 


ie! ier 
2. out(S) = UJ out(5;), and 
iel 
3. int(S) = UJ int(.S;). 
ie! 


The composition A = [];¢, A; of compatible automata {A; : 7 € J} is defined to be the 


automaton with 


1. states(A) = II states(A;), 


ier 


2. start(A) = [| start(4:), 


iel 
3. sig( A) = [] sig(a), 
iel 
4, part(A) = |) part( A;), 
iel 


5. steps(A) = {((Giiers 4, (G)ier) 2 Vi € L 
(a) a € acts( A;) => (qi, 4, q) € steps(A;) 


(b) a Z acts(A;) = G = ¢ }. 


Composition of automata is of fundamental importance because it exactly characterizes the 
way I/O automata communicate. The compatibility conditions state that internal actions can 
not interact and that every action can be controlled by at most one process. The transition 
function states that all processes must synchronize on common actions. The following two 


definitions extend the composition operator to execution modules and schedule modules. 


Definition 2.1.10 (composition of execution modules) The composition E = [],., E; of 


compatible execution modules {F; : i € I} is defined as follows: 
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e states(E) = II states( E;), 


i€l 
e sig( FE) = [[ sig( 4). 
i€l 
Given a state s = (s;)ic, of the composition, we define s[F; = s;. Given a sequence = 
Jotog +: of states and actions of BF’, we define x[F; to be the sequence obtained from 2 by 


removing all a;q; if a; ¢ acts(/;) and replacing the remaining s; by s; [ Fj. 


e execs(E) = {x = qoaog ++: Vi € Talk; © execs(E;) A (a; ¢ acts(E;) = s;[E; = 
sj4i[i)}- 


Definition 2.1.11 (composition of schedule modules) The composition C = [],<, C; of 
schedule modules {C; : 7 € I} is defined as follows: 
e sig(C) = [J sig(Ci), 
i€l 


e scheds(C) = {y: Vi € Ly[C; € scheds(5;)}. 


The following facts hold for I/O automata and show that the definitions above are well 
given. The interested reader may refer to [LT87] for the proofs. 


Proposition 2.1.12 Let {A;:i¢ I},A be compatible automata, {E;:1€ I}, FE be compatible 
execution modules, {C;: i € I},C be compatible schedule modules and {O; : 1 € I} be objects. 
Then 


1. Execs(| J A;) = II Execs( Aj), 


ie! ier 
2. Scheds(| | Ej) = II Scheds(E;), 
ie! ier 
3. External(| | Ci) = II External(C;), 
ie! ier 
4. Ubeh(T[ O:) = [[ Ubeh(O;), 
ie! ier 
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5. Brecs( Hide ;(A)) = Hide ;( Execs(A)), 

6. Scheds( Hide;(E)) = Hide ;(Scheds(E)), 

7. External( Hides(C)) = External( Hide ;( External(C))), 
8. Brees( f(a)) = f(Execs(A)), 

9. Scheds( f(e)) = f(Scheds(e)), 


10. External( f(C)) = f( £aternal(C)). 


A side effect of input enabling consists of the possible prevention of a system from performing 
locally controlled actions by means of an infinite sequence of input actions. This case is avoided 
by restricting the observations to fair executions. In the following definition we use the partitions 


of the locally controlled actions for the first time. 


Definition 2.1.13 (fair executions) A fair execution of an automaton A is an execution x 


such that for all X € part(A) 
e If z is finite then no action of X is enabled from the final state of x 


e If x is infinite then either actions from X appear infinitely often in x or states from which 


no action of X is enabled appear infinitely often in x 


A finite fair execution is also said to be quiescent. | 


The notion of fairness defined above recalls weak fairness [Fra86], but the two concepts are 
different. In [Fra86] fairness is considered for each action, while in I/O automata fairness is 
considered for locally controlled actions only. Moreover, instead of considering single actions, 
fairness is defined in terms of sets of actions within I/O automata. The idea behind the partition 
of locally controlled actions is that every element of the partition represents the actions under 
the control of a component of the global system. In this way the notion of fair turn is expressed, 
i.e., each component that is continuously willing to perform a locally controlled action will 


eventually do so. The following two propositions are proven in [LT87]. 
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Proposition 2.1.14 /f x is a finite execution of an automaton A, then x can be extended to a 


fair execution xa,q,--- of A in which every a; is a locally controlled action of A. | 


Proposition 2.1.15 For all compatible automata {A; : 7 € I}, Fair({] Aj) = [| fair(4s) 
ie! ier 
where Fair(A;) is the execution module having fair(A;) as its set of executions and fair(A;) is 


the set of fair executions of A;. | 


We can now define the fair behaviors of an automaton as Fbeh(A) = Hzternal(Fair(A)) 
and give a new equivalence relation that turns out to be a weak congruence for the automata’s 
operators, i.e., a relation that is substitutive for the I/O automata operators whenever these 


operators are defined for all the considered expressions. 


Definition 2.1.16 (fair equivalence) Two objects O,P are fair equivalent (O =p P) iff 
Fbeh(O) = Fbeh( P). = 


With the concept of fair trace it is possible to introduce the notion of implementation. An 
object O; implements an object O, if they both have the same action signature and F'beh(O,) C 
Fbeh(Oz). Trivial implementations are avoided by input enabling and fairness. These two 
concepts, in fact, state that a process must accept all stimuli from the external environment 
and must perform its output actions whenever it has the possibility to do so, i.e., it must give 
an answer when requested. 

On the base of the previous discussion we can define three main relations between I/O 


automata that will be used throughout the rest of the thesis. 


Definition 2.1.17 (preorder relations) Given an object O, let Quiescent(O) be the set of 
quiescent executions of O and let Qbeh(O) = External( Quiescent(O)). Finally, let FinUbeh(O) 


be the set of finite unfair behaviors of O. 


The external trace preorder on objects is defined as follows: O Ege P iff 
1. O and P have the same external action signature and 


2. FinUbeh(O) C FinUbeh( P). 


The quiescent preorder on objects is defined as follows: O Cg P iff 
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1. O Cpr P and 


2. Qbeh(O) C Qbeh( P). 


The fair preorder on objects is defined as follows: O Ep P iff 
1. O and P have the same external action signature and 


2. Fbeh(O) C Fbeh(P). 


The kernels of Cgr,Cg and Cp are respectively called external trace equivalence, quiescent 


equivalence and fair equivalence. 


e O=prr PiffO Cer P and P Cer O, 


e O=g P iff O Ca P and P Cag O7 


| 


A method to prove that an object O, implements another object O2 makes use of the notion 
of a possibilities mapping. The main idea of a possibilities mapping is to map every reachable 
state s of O, onto a set of states h(s) of Oz in such a way that every step s; —+ s, of O, can be 
performed from any state of h(s,). The steps of O. must end in a state of h(s.). For a formal 


definition of possibilities mapping and its use the reader is referred to [LT87]. 


2.2 Process Algebras 


The main idea of Process Algebras is the existence of some basic processes and some funda- 
mental operators modeling operations such as sequential composition, parallel composition, 
nondeterministic composition and synchronization. A process is represented by an expression 
which is built inductively from the basic processes and the fundamental operators. The seman- 
tics of each expression is given in terms of an underlying model which may vary from algebra 


to algebra. 
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Particularly important is the way in which processes are identified in the underlying model. 
The equivalence (preorder) relations defined on the underlying models induce equivalence (pre- 
order) relations on the interpreted expressions. The next step is then to define a sound and 
possibly complete proof system over the expressions with the result that the relationship be- 
tween expressions can be proven by means of pure algebraic analysis. 

One of the first process algebras was the calculus of Communicating Sequential Processes 
(CSP) [Hoa85]. CSP has a large amount of operators and its semantics is given in terms of 
traces (sequences of actions a process can perform) and refusal sets (sets of actions that a 
process may refuse to perform). An action represents a visible move of a system. 

Another algebra is the Calculus of Communicating Systems (CCS) [Mil89]. The underlying 
model of CCS is given by labeled transition systems (LTS), which are state machines with 
a labeled transition relation. A LTS is associated with a CCS expression by means of an 
operational semantics as described in [Plo81]. The standard notion of equivalence for CCS is 
bisimulation [Par81]. 

In this thesis we concentrate on the LTS approach by using I/O automata as underlying 
model and we analyze a particular preorder relation which is connected to the fair preorder of 
I/O automata. For a better understanding of other different existing relations the interested 
reader is referred to [De 87] and [Gla90]. 

We now introduce the main notions for the definition of a process algebra based on the LTS 


approach. We start with the notion of signature. 


Definition 2.2.1 (signatures and terms) Let S be a set of sorts ranged over by s, 8;, 52,... 
A signature element is a triple (f, 5:52 --+5,, 5) consisting of a function symbol f, a sequence of 
sorts 8, --+-+8, 15; € S,t=1,...,n, and a single sort s € S. s is called the sort of the signature 
element and n is its arity. In a signature element (c,A,s), ¢ is often referred to as a constant 
symbol of sort s. A signature is a pair % = (S,Q) consisting of a set of sorts S and a set of 
signature elements O. We denote sort and function symbols of a signature by sorts(X) and 
op(%). The set of terms over X, is denoted by 7(%). The set of terms of a particular sort s € S 
are denoted by 7(%),. = 


A signature represents the basic processes (constants) and the operators that are considered 


as fundamental ((f, s152---S,,5) is an operator taking n processes respectively of sort 51 +--+ 5, 
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as arguments and giving back a process of sort s. Well known calculi like CCS are one-sorted. 
We presented the more general many-sorted definition because we use sorts to model interfaces 
associated with processes. 


The following definition introduces the notions of substitutive relation. 


Definition 2.2.2 (substitutivity) Let © be a signature and let R be a relation over T(X) x 
T(X). R is substitutive iff for each signature element (f, 5159 ---8,,8) of % and each t;, t/ of sort 
Si, 


ty Rtiyecgty RU, => fltiy.. sth) R f(t. t). 


We proceed by formally defining a calculus. 


Definition 2.2.3 (calculi) Let A be a given set of labels and let © be asignature. A transition 
rule has the form 
ty “bth. th St, 
tor 
where ¢;,t/ € T(), t,t! € T(S), a; € A and a € A. The elements t; —> t/ are called the 
premises and t —> t' is called the conclusion. The interpretation of a rule is that, whenever the 
transitions of the premises are possible, the transition of the conclusion is possible. Transition 


rules can be parameterized using variables in their terms. A calculus, is a triple P = (X, A, R) 


where ¥ is a signature, A is a set of labels and R is a set of transition rules. | 


We extend the transitions to sequences of labels in the obvious way by saying that ¢ ““*” ¢ 


an 


U. 


iff Jty,.. tp it +t, re 

We finally adapt two of the preorder relations of section 2.1 to the process algebraic frame- 
work. Fairness is not considered at this stage. The definition of the quiescent preorder is an 
adaptation to the many-sorted framework of the definition of [Vaa91]. In particular we identify 
sorts with action signatures; i.e., we assume the existence of a bijective mapping from sorts to 
action signatures. We use the same relation symbols we used in section 2.1 to emphasize the 
fact that we are expressing the same notions in different formalisms. We also abuse notation by 


writing ext(e) when we mean ezt(S') where S' is the action signature associated with the sort 


of e. 
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Definition 2.2.4 (preorder relations) Given a many-sorted calculus with input and output 


actions, the set of enabled actions from an expression e is defined as 


alde’:e — eh. 
{alde': e — e'} 


An expression e is guiescent if it only enables input actions. 


The set of (finite) external traces of an expression e of sort S' is defined as 


etraces(e) = {h[ext(S')|Je’ : e — e’} 


where h denotes a sequence of actions and h/A is the projection of h on A. 


The set of quiescent traces of an expression e of sort $ is defined as 


gtraces(e) = {hfeat(S')|Je’ se 4+ e', quiescent(e’)}. 


The external trace preorder Cpr is defined as follows: e; Epp e€2 iff 
1. e,; and €y have the same external action signature and 


2. etraces(e,) C etraces(ez). 


The quiescent preorder Cg is defined as follows: e; Eg €» iff 


1. e; Cpr eo and 


2. gtraces(e,) C gtraces(eés). 


The kernels of Eger and Cg are respectively called external trace equivalence and quiescent 


equivalence. 


© €| =pr €2 iff e, Cer €2 and ey Cpr e1, 


@ €; =q €2 iff e; Cg €2 and ey Lg e). 
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Chapter 3 


A Calculus of Demonic I/O 


Automata 


This chapter introduces a calculus for I/O automata following the demonic approach. The 
calculus is many sorted and each sort represents an action signature consisting of input and 
output actions and a single internal action r. In the I/O automaton model action signatures may 
have more than one internal action, and the reason for that is to have flexibility in expressing 
fairness with respect to different internal tasks. Since we do not address the issue of fairness in 
this thesis, we present only the simple calculus with a single internal action. At the end of this 
chapter we give an idea of how to extend the calculus to handle multiple internal actions. 

The rest of the chapter is organized as follows: Section 3.1 presents the definition of DIOA 
and discusses its operators; Section 3.2 presents I/O automata definitions of the operators 
of DIOA; Section 3.3 presents a construction associating an I/O automaton with each DIOA 
expression; Section 3.4 presents an I/O automata interpretation of recursion, a tool that is used 
for the definition of DIOA; Section 3.5 discusses the problem of introducing multiple internal 


actions. 


3.1 The definition of DIOA 


In this section we present the calculus of Demonic I/O automata (DIOA)); it permits representing 


any finitely branching I/O automaton [LT87]. Moreover, the operational semantics of the 
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Name Op. Domain Range Restrictions 


quiescent nils A 5 
omega Qs A $ 
prefixing as S$ S a € ext(S) 


ichoice Bs 5,5 5 

echoice = ;-+7) SS S I,J Cc in(S) 

parallel ss, ||5, 1,52 Ss out(S,) 1 out(S2) = 0 
S3) a) 


3) = out(S)) U out(Ss) 
in(S'3) = (in($,) U in($2))\out( Ss) 


Cc 


hiding TP S S! IC out($), S’ = (in(S), out($)\L) 

renaming ps S Ss for each injective p : acts(S) — acts(S’) 
5’ = (plin(S)), plout(S))) 

process Xg A 5 X5 € Xs 


Table 3.1: The signature of DIOA 


operators of DIOA specifies the same transition trees as of the corresponding operators for I/O 
automata. 

Table 3.1 presents the signature for DIOA. The sort symbols associated with the opera- 
tors range over all possible action signatures with a single internal action 7 if no additional 
restrictions are mentioned. Thus, rather than a single operator (e.g. parallel, renaming, etc.) 
we actually have a family of operators parameterized on the sorts of the operands. To avoid 
heavy notation we will drop the sort indexes from the operators whenever the sorts are evident. 
Indeed all non-constant operators are uniquely determined by the sorts of their operands. As 
additional simplification we will represent action signatures as pairs (¢n, out) since the set of 
internal actions is fixed to be {7}. In choosing the operators we had in mind two major goals: 
representing the three main operators of I/O automata (i.e., parallel, hiding and renaming) and 
expressing a sufficient number of transition trees. The second goal is achieved through prefix- 
ing, external choice and recursion; the internal choice operator will turn out to be useful for 


proving completeness of axioms. Recursion is obtained in a De Simone style [De 84, De 85b]. 
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We assume the existence of a countable set Vs; of process variables for each sort S$ and the 
existence of a declaration mapping F associating a guarded expression of sort 5 to each process 
variable of V5. An expression e is guarded if each process variable occurs in the scope of a 
prefixing operator. 


Table 3.2 presents the transition rules for DIOA; some comments follow: 


e quiescent expression “nil”: 


This expression models a quiescent automaton, where no output actions are enabled. It 
has a transition to Qs for each input action of sort S$. Each input action of S, in fact, is 


unspecified in nily. No output is permitted. 


e omega expression “OQ”: 


This expression models the unspecified process, for which everything is possible. It has 
a self-loop for each action of S with the consequence that any trace with actions from $ 
is an external trace of Qs. An additional transition to nils (rule omez) makes any trace 
a quiescent trace of Q;. Note that the use of rule ome, is the only way to move 2 toa 


quiescent state. 


e prefixing operator “a.”: 


In our interpretation a.e specifies the behavior of a process only when it first performs 
action a. For all other input actions there is a transition to 0, meaning that every choice 


of implementation is correct. 


e internal choice operator “@”: 


The expression e @ f can move either to e or f with an internal action (rules ich, » 
resembling the @ of [DH87]) or behave like e or f (rules ichs 4 resembling the CCS +). 
Rules ichs, are necessary for input enabledness. This is an additional difference from 
IOC of Vaandrager [Vaa91] since the internal choice operator of IOC has self loops for 
any input action. The choice of using rules ich3 , implies that the external and quiescent 
traces of e, @ €2 are obtained by unioning those of e; and those of e,. Note that none of 


the four rules can be eliminated; elimination of ichg , would cause loss of input enabling, 
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nily —+ Qs 
Qs + Os 
a.ge—+e a.g@—+Q5 bE in(S)\{a} 
€1 Bs €9 — | €1 Bg €9 —> €9 


a4 Va € in(S) oo” Va € in(S) 


a a 
€; Bs €2 — e} €; Bs €2 — e& 
a , 
€, —e 
: Va € [VU out(S) 


Ss a , 
€, ¢+3 €g — €} 


oT Va € JU out(S) 


er, rth ey > e 
€; +3 €2 + Os Va € in(S)\(LU J) 


T ! 
€, — e€} 
rT t 

7 €2 €1 7 


T , 
€2 —> €5 


7 


J ©2 


a , 
e—e 


Tre) > TP le’) 


a , 
e—e 


ps(e) = ps(e’) 


a ! a ! 
€, 7 €; €2 —> €5 
a ! ! 
€1 sillso €2 ey sillso €4 
a ! 
€, —7 €, 


a € acts($,)\ext(S2) 


€15,||5. €2 =. es, |ls. €2 


aT a € acts($z)\ext($,) 


€1 5, ||s. €2 —> €1 5, || € 


Table 3.2: The transition rules for DIOA 
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while elimination of ich,» could give rise to problems whenever A is a quiescent trace of 


one argument but not of the other one. 


choice operator “;+ 7”: 


The arguments of ;+, can perform an input action a only if @ is in the corresponding 
parameter J or J (rules ech, 5). For input actions not in JU J there is a transition to Q 
(rule echs). The choice context is not resolved with internal actions (rules ech, ;). This 
is essentially Vaandrager’s choice operator. It would have been nice to define a CCS- 
like external choice operator without parameters, however our attempts have failed in 
the sense that we have not been able to achieve substitutivity for the quiescent preorder 


without using J and J. See Remark 3.1.8 for an example. 


hiding, renaming and parallel operators “ry, p, ||”: 


They are in direct correspondence with the operators of I/O automata. In particular, 
the constraints on the sorts for the parallel operator guarantee that actions are under the 
control of at most one process. The transition rules for the parallel operator state that 
all processes synchronize on common actions and evolve independently on the others. 
Note that, although processes synchronize on common actions, the communication is 
asynchronous since at most one process has the control of each action. The restrictions on 
hiding and renaming are directly inherited from I/O automata. Injectivity of p is required 
to guarantee distributivity and the restriction on hiding is kept to avoid unnecessary 


complications. 


Below, a few basic properties of DIOA are listed. 


Definition 3.1.1 (sort consistency) A many-sorted calculus is sort consistent if the sort of 


every expression is invariant under transition. 


Proposition 3.1.2 DIOA is sort consistent. 


Definition 3.1.3 (input enabledness) An expression e is input enabled if Ve'| 


h 
h€acts(e)* € 


e’,in(e) C enabled(e’). A many-sorted calculus with interfaces associated with expressions is 


input enabled if each expression is input enabled. 
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Proposition 3.1.4 DIOA is input enabled. | 


Theorem 3.1.5 (substitutivity) External trace preorder and quiescent preorder are substi- 


tutive for DIOA. | 


The proofs of the above results are standard and can be done by cases analysis. For the 
substitutivity theorem we cannot use Vaandrager’s results [Vaa91] since the internal choice 


operator does not fit Vaandrager’s general format. 


Remark 3.1.6 It is possible to characterize each DIOA expression in terms of the external 


and quiescent traces it exhibits. The inductive definition is as follows: 
e etraces(Qs) = gtraces(Qs) = ext(S)*, 
e etraces(nils) = gqtraces(nils) = {A} U {atla € in(S),t € ext(S)*}, 


e etraces(a.e) = {A} U {at|t € etraces(e)} U {bt|b € in(S)\{a},t € ext(e)*}, 
{A} U {atlt € gtraces(e)} U {bt|b € in(S)\{a},t € ext(e)*} if a € in(e), 
{at|t € gtraces(e)} U {bt|b € in(S)\{a},t € ext(e)*} if a Z in(e), 


qtraces(a.e) = 


e etraces(e ® f) = etraces(e) U etraces(f), 


qtraces(e ® f) = qtraces(e) U qtraces( f), 


e etraces(e ;-+ 7 f) = {A} Ufatla € I Uout(e), at € etraces(e)} 
U{atla € J Uout( f), at € etraces(f)} 
Ufatla € in(S)\(LU J),t € ext(e)*}, 
({A} N qtraces(e) N gtraces(f))U 
giraces(e p+) f)= {atla € I Uout(e), at € gtraces(e)}U 
{atla € J Uout(f), at € gtraces( f)}U 


{atla € in(S)\(LU J),t € ext(e)*} 


l| 
a 
oh. 
—71 
a 
o 
8 
oh. 
a 
o 
—* 
= 
ia] 
—* 


e etraces(T;(e)) t € etraces(e)}, 


l| 
a 
oh. 
—71 
a 
o 
8 
oh. 
a 
o 
— 
= 
ia] 
— 


qtraces(T;(e)) t € qtraces(e)}, 


e etraces(p(e)) = {p(t)|t € etraces(e)}, 


giraces(p(e)) = {p(t)]t € qtraces(e)}. 
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e etraces(e||f) = {t € ext(e||f)*|tlext(e) € etraces(e), t[ext(f) € etraces( f)}, 


gtraces(e||f) = {¢ € ext(el| f)*|t[ext(e) € gtraces(e), tlext( f) € qtraces( f)}. 


Remark 3.1.7 The main difference between internal and external choice can be seen by means 


of an external observer. Consider processes 


P, i ab. nil fay to nil and 


def 


Py =a.b.nil @ nil 


where a is an input action and bis an output action. Consider an external observer O performing 
an output action a for then waiting for an input action 6. If O is interacting with P, it will 
always receive the b-signal after performing the a-action since the choice context of P, is resolved 
when O provides a; if O is interacting with P, then the system could send any signal to O since 
Py, while receiving a, can either move according to a.6. nil or nil. In other words P, has 
decided internally how accepting action a. 

The reader might think that e @ f is equivalent to e 4+4 f where A = in(e). This fact, 
unfortunately, is false since there are possibilities of discrepancies when considering the quies- 
cence of A. The difference can be noted by letting O interact respectively with a.(b.nilg+g nil) 
and a.(b.nil @ nil). In the first case O will always receive the b — signal while, in the second 


case, the interacting process may internally decide not to perform the b-move. 


Remark 3.1.8 There are some immediate questions about the definition we have given for the 


choice operators: 


(a) why did we choose only to allow internal and external choice of expressions with the same 


action signature? 
(b) why did we choose to use two parameters J, J for the external choice operator? 
The answer to question (a) is strictly related to sort consistency. Suppose we allowed the sum 
(external choice) of expressions with different signatures and consider 
Pi, = a.nil(g fa}) ato b.naleg, 453) 
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Py = a.nileg say) ate O-neleg 4,53) 


where every pair associated with nil represents its action signature (recall that the pair (in, out) 
represents an action signature having input actions 7n, output actions owt and internal action 
T). It is reasonable to say that the output actions of P, are {a,b}, hence traces(P,) = {A, a,b} = 
traces( P,). Consider now 


Ps = niles a},a) 


It is immediate to see that in(P, || P3) = in(P» || P3) = 0 and that traces( Py» || Ps) = {A, a, b}. 
On the other hand P, “loses” the output action a after performing action b because there is 
no reason to consider a an output action of nal(g.s5}). In particular a becomes an input action 
if P, is composed with P3, hence traces(P, || P3) = {A, a, b, ba, baa, bab,...} and trace preorder 
is not substitutive. By means of some changes on the external signature it might be possible 
to define a calculus with dynamic signatures (i.e., a calculus that is not sort consistent) that is 
substitutive for trace preorders, but this topic goes beyond the scope of this thesis. 

For point (b) one might like to define an unparameterized choice operator and implicitly 
treat transitions to 2. Consider for example the expression a .e; + b.e. where a,b are input 
actions and consider another input action ¢ of e;. When provided with a the system should 
evolve to e, since the behavior for a is specified by a.e,; when provided with 6 the system 
should evolve to e, since the behavior for 6 is specified by 6.e2; when provided with c the system 
should move to 2 since the behavior for ¢ is not specified neither by a.e, nor by 6.e.. It is 
easy to see that external and quiescent trace preorders are not substitutive for +. Consider for 


example the signature S' = ({a},{b}). We can easily check that 


nil=ga.Q 


since nil moves to 2 with action a, but 


a.nil+nil#ga.nitl+a.Q 


since ab is a quiescent trace of the right process but not of the left one. Process nel, in fact, does 


not specify the behavior for action a, hence a. nil + nal, when provided with a, should move 
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to nil from which action b is not enables; on the other hand the behavior for a is specified by 
a.Q, hence a.nitl+a.Q can move to 2 with action a and then perform action b before moving 
to nil. Unfortunately we have not been able to find an unparameterized choice operator for 


which the quiescent preorder is substitutive. 


3.2. DIOA operators for I/O automata 


In the previous section we have defined the transition rules for the renaming, hiding and parallel 
operators of DIOA in such a way that they behave in the same way as the correspondent 
operators of I/O automata with a single internal action. We also have defined another set of 
operators (prefixing, internal choice, external choice) and a set of basic expressions (nz! and Q) 
in order to have a sufficient expressive power. 

In this section we define a new set of operators for I/O automata with one internal action 
in such a way that they have the same behavior as of the prefixing, internal choice and external 
choice operators of DIOA. We analyze each single operator: let A = (Q4,Q%,54,ta, Pa) and 
B= (Qz,Q, Sz, tp, Pa). 


e prefixing operator “a.”: 


The automaton a. A, where a € acts(S4), is defined to be 


(Qa U iq} U Qa, {gq}. Sa, t', Ps) 
where Qa is the set of states of the unspecified automaton and 


t t 


U {(q,4,¢a)lda € a4} 
U {(9,6, 94) +b € in(S4)\{a}} 
U 


to 


where qQ is the initial state of the unspecified automaton and tg is the transition relation 
for the unspecified automaton. The unspecified automaton is formally defined in the next 


section. Here we just assume that it can be defined. 
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e internal choice operator “@” 


The automaton A @ B, where $4 = Sz, is defined to be 


(QaUQz U {qh}, {q}, Sa, ta Ute UN” Py) 


where 
U = (a7, 4aa)laa € Qa} 
{(@.7,%)l4e € QB} 
{(,4,q4)la € in(S4) and dq, € Q% : (qa,4, 94) € ta} 
{(q, 4, Yp)|a € in( Sp) and Ign € Qy : (Ge, 4, Gp) € ta} 


C Cc € 


e external choice operator “;+;” 


The automaton A,;+, B, where S$, = Sz and I,J C in(S'4), is defined to be 


(Q4UQpUQa X Op U Qa, Q4 x QB, Sat, Pa) 


where 


U = t4 
U tp 
Ute 


U {(da X 9p,4,94)|(G4,0,0,) € ta, a € TU out(S4), gn € Qa} 
U {(qa X 98,4, 73)|(G8,4, 73) € ta, a € JU out(Se), qa € Qa} 
U {(da X Ge, 4,9) € in(S4)\LUI),.d4 © Qa, an € QB} 
U {(da X 98,7, U4 X IB)\(Ga,T, a) € tas de € Qa} 

( 


U {(da X 9B,T7, 94 X Vp)\(9B.7, Up) € ta, da © Qa 


Note that the above definition might contain many unreachable states. 


The substitutivity result of Theorem 3.1.5 and the compositionality results of Remark 3.1.6 


are trivially valid also for the new operators defined over I/O automata. 
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We can also define a transition relation directly over I/O automata as follows: 


(Qa, Q's, Sa,ta, P,) — (Qa, {gq}. Sata, P,) 


iff dqa € QS : (qa,4,9q) € ta. Finally we can define the notion of quiescent automaton as 


follows: (Q4,Q%, 54, ta, Pa) is quiescent iff dg € Q%|q¢ is quiescent. The main result, relating 


the DIOA operators with the I/O automata operators, is then the following: 


Proposition 3.2.1 (transition rules for I/O automata) For every I/O automata opera- 
tor op of arity n, the transition relation of the composition of n automata A,,..., An is com- 


pletely determined in terms of the transition relations of A,,..., An by using the transition rules 


for DIOA. More precisely, if JA|op(A,,..., An) —+ A according to the transition relation de- 


fined on I/O automata, then JA‘ =g Alop(A1,..., An) <> A’ according to the transition rules 
of DIOA and vice versa. 


Proof. Simple cases analysis for each operator. | 

The above proposition says that we can use the transition rules for DIOA in order to 
determine the behavior of the composition of simpler automata. Moreover it confirms the fact 
that the definitions of the operators for I/O automata are consistent with the definitions of the 


corresponding operators of DIOA. 


3.3. DIOA expressions and I/O automata 


In this section we define what it means for an expression to represent an I/O automaton by 


explicitly constructing the automaton associated with it. 


Definition 3.3.1 Given an expression e of sort s, the automaton Aut(e) associated with e is 
defined to be Aut(e) = (5,Q,q,t, P) where S is the action signature associated with sort s, Q 
is the set of reachable states from e, qo is e, ¢ is the transition relation associated with e, and 


P = {local($)}. = 


The fact that Aut(e) is an I/O automaton is a direct consequence of the input enabling 
and sort consistency properties of DIOA expressions. The definition of the partition P of the 


locally controlled actions of S is arbitrary since we do not deal with fairness. 
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We now state two important propositions showing the consistency of the definitions we have 


given in this chapter. 
Proposition 3.3.2 Given a DIOA expression e, 
1. etraces(e) = Ubeh( Aut(e)) and 
2. gtraces(e) = Qbeh(Aut(e)). 
Proof. Direct consequence of Definition 3.3.1. | 


Proposition 3.3.3 Aut is a morphism from DIOA expressions to I/O automata. 


Proof. We prove the proposition for the internal choice operator. The proof for the other 


operators is similar. 


Ubeh( Aut(e @ f)) = by Proposition 3.3.2 
etraces(e ® f) = by Remark 3.1.6 
etraces(e) U etraces(f) = by Proposition 3.3.2 


Ubeh( Aut(e)) U Ubeh( Aut(f)) = by Remark 3.1.6 applied to I/O automata 
Ubeh( Aut(e) @ Aut(f)). 


The case for the quiescent behaviors is similar. | 


Proposition 3.3.3 says that DIOA operators are preserved by the mapping Aut. For example 
Aut(e ® f) =q Aut(e) @ Aut(f) 


where the left @ is the internal choice operator of DIOA and the right @ is the internal choice 


operator of I/O automata. 


3.4 Recursion and I/O automata 


How can recursion be interpreted within I/O automata? A definition of the form X 2 E(X) 


can be interpreted as an equation between I/O automata meaning that the automaton X and 


the automaton F(X) have to be quiescent trace equivalent. In other words the automaton 
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X has to be a fixpoint of the equation X =g E(X). It could be the case, however, that the 
equation has more than one fixpoint, therefore we need a method for choosing a particular 
fixpoint of an equation. 

A natural fixpoint that can be considered is Awt(X) where X and F(X) are viewed as 
DIOA expressions. In Chapter 4 we provide a theorem about the uniqueness of the fixpoint for 


a set of equations. 


3.5 Dealing with multiple internal actions 


DIOA does not completely capture the features of the I/O automaton model since it is defined 
on signatures with one only internal action. The choice of this restricted set of action signatures 
is due to the fact that we do not address the problem of fairness within this thesis. 

It is not difficult to expand DIOA in such a way that it deals with multiple internal actions. 
Two main consequences must be kept into consideration: the preorder relations will be defined 
between expressions with different sorts (all sorts with the same external action signature) and 
substitutivity will be no longer valid (if P = Q it might happen that there is a process C’ such 
that P||C is legal while Q||C is not legal). The new property that is valid is weak substitutivity, 
i.e., two equivalent processes cannot be distinguished in any context in which they can both be 
inserted. 

The problem of defining calculi with multiple internal actions is completely addressed in 
[Seg91] where Vaandrager’s work [Vaa91] is extended to the many-sorted setting. In [Seg91] 


there is also the extended version of an angelic calculus of I/O automata (called IOA). 
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Chapter 4 


Algebraic theorems for the 


Quiescent Preorder 


This chapter presents a set of theorems about I/O automata and the operators defined in 
Chapter 3. A theorem is a statement about the relationship between two automata where each 
automaton is represented by expressions with free variables. Each variable is meant to represent 


an I/O automaton. An example of a theorem is 
€=9 ee (4.1) 


stating that an automaton e is equivalent to the internal choice composition of e with itself. In 
other words & is idempotent. 

Not all theorems, however, can be just expressed as a relationship between two expressions. 
For example, it is not true in general that the automaton e is equivalent to the automaton 
e;+,e. The above equivalence is valid only if a particular property P(e) is valid for the set of 


external and quiescent traces of e. The statement of the theorem is then 
€ =g ert ze if P(e) (4.2) 


meaning “if the automaton e satisfies the property P then e =g e;+y e”. The condition 


expressed by the property P is called side condition. 
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From the algebraic point of view, however, the above theorems have to be interpreted 
as assertions about DIOA expressions meaning, for example, that the DIOA expression e is 
equivalent to the DIOA expression e @ e. In the case of DIOA a theorem is called axiom, and 
an axiom is said to be sound for the I/O automaton model if it is stating a true property of 
the automata associated with the related expressions. 

An additional property of axioms is that they have to be model independent, i.e., they 
have to be stated purely in terms of the syntactic structure of an expression without using any 
semantical reasoning. In particular theorem (4.2) cannot be directly interpreted as an axiom 
since its side condition is not expressed in terms of the syntactic structure of e, rather in terms 
of the semantics associated with e. 

To view theorem (4.2) as an axiom we need a syntactic characterization p of P or a sound 
proof system for P. In this thesis we pursue the approach of the syntactic characterization p 
of P. It might not be the case that a syntactic property p equivalent to P can be defined, 
therefore in general we introduce a property p such that p(e) implies P(e) and we write a real 
axiom 


€ =g ert se if ple). (4.3) 


In this thesis we want to keep a clear distinction between theorems and axioms. Theorems 
are helpful for people working with I/O automata only since they provide a set of manipulation 
rules for I/O automata; axioms, on the other side, are useful for algebraists since they permit 
to capture the essence of the quiescent preorder just by means of syntactical analysis. 

In accordance to the dual view theorems/axioms, this chapter deals with theorems only by 
providing their statements based on semantic side conditions. The next chapter, instead, pro- 
vides the axiomatic view of the theorems of this chapter by providing syntactic approximations 
of the side conditions used in this chapter. 

The rest of this chapter is organized as follows: Section 4.1 presents some auxiliary semantic 
functions which are used for the formulation of the side conditions for the theorems; Section 
4.2 presents general theorems concerning I/O automata where the auxiliary functions are those 
of Section 4.1. The theorems of Section 4.2 will be converted into axioms in the next chapter; 
Section 4.3 presents some tools for dealing with recursively defined automata. Since the sound- 


ness proofs of the theorems are standard, we just provide the actual soundness proofs of some 
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of them. 


4.1 Auxiliary functions 


In this section we introduce and justify some auxiliary functions that are useful for the formu- 
lation of the theorems for I/O automata. The auxiliary functions are defined in terms of the 
external and quiescent traces an automaton (or an expression) exhibits. In Chapter 5 we will 
provide related definitions in terms of the syntactic structure of the expressions. 


We start by defining the set of Weakly Specified Input actions of an automaton: 


Wsi(e) = {a € in(e)|At € ext(e)* : at ¢ qtraces(e)}. 


The idea behind the definition of Ws7 is the following: if a specification of a device specifies 
something about the behavior of the device in the presence of an input action a, then not all 
choices of implementation should be correct when dealing with action a, i.e., some sequences of 
actions should not be allowed after performing action a. The word Weakly emphasizes the fact 
that we are abstracting from internal actions. 


Another useful set is the set of Weakly Specified Output actions of an automaton: 


Wso(e) = {a € out(e)|a € etraces(e)}. 


Wso(e) is the set of output actions that could become enabled according to the specification 
e. The word Weakly emphasizes the fact that we are considering output enabled actions up to 
internal transitions. In other words, as for Wsi, we are abstracting from internal actions. The 
usefulness of Wso is clear when stating distributivity of hiding over external choice. It is not 
true in general that 7;(e +x f) =q Tr(e) at+x T1(f) since performing an action from J resolves 
the choice context in the left automaton but does not resolve it in the right one. The condition 


for the above equivalence to hold turns out to be Wso(e) NI = Wso( f)N 1 = 90. 
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Other useful functions are 


Localen(e) = {a € local(e)|4e’,e — e'}, 
Inten(e) = true iff r € Localen(e) and 
Quiet(e) = true iff Localen(e) = 0. 


4.2 General theorems 


In this subsection we present some general theorems that are sound for the quiescent preorder 
over I/O automata. We call them “theorems” since they are viewed as properties of I/O 
automata. Each expression stands for an I/O automaton and the operators are those of I/O 
automata. Moreover, the auxiliary functions are defined in terms of the external and quiescent 
traces of the considered automata. In the next chapter we will define some other syntactic 
functions to be substituted for the semantic ones and the theorems of this section will be 
called “axioms” by viewing the expressions as actual DIOA expressions and the operators as 
DIOA operators. Note that by the word “sound” we mean that the given theorems state valid 
properties of I/O automata. When dealing with axioms, instead, the word “sound” means 
that the relationship between two syntactic expressions stated by an axiom is valid in the 
Input/Output automaton model. 

The first group of theorems concern the relationship between 2 and the other operators. In 


particular theorem M states that any automaton is an implementation of 2. 


Proposition 4.2.1 (omega theorems) Let e be an I/O automaton. The following theorems 


are sound. 
R p(Qs) =e Qos) 


Mela 


I 77(Qs) Sg Qs: where S’ = (in(S), out(S)\L) 


P Qs, ||Qs, =g Qs, where S3 is the composition of S$, and Sy 
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The following theorems concern the renaming operator, which is distributive over every 


other operator. 


Proposition 4.2.2 (renaming theorems) Lete, f be I/O automata. The following theorems 


are sound. 
Ry p(nil) Sg nil 
Ry p(a.e) = pla) - ple) 
Rs ple ® f) =e ple) © (f) 
Ra plerts f) =e pl©) ator pf) 
Rs pi(p2(e)) =@ pio pale) 
Re p(ti(€)) =e Ten (p'(€)) of p’ extends p 
R; plellf) =e plejlle(/) 
7 


The following theorems concern the parallel operator. This operator is commutative and 
associative, but does not have a neutral element. In fact in general e||nil #g e. The problem is 
that nil may have the control of some actions (essentially its output actions) which disappears 
by only considering e. However a weaker property is valid saying that two automata 2 can be 
collapsed (see theorem P). Theorem P3 describes the properties of the parallel composition of 


an 2 automaton with a nil automaton. 


Proposition 4.2.3 (parallel theorems) Let e, f and g be I/O automata. The following the- 


orems are sound. 


P, ellf =a file 
P» (ell Allg =e ell(S\lg) 


P3 Qs, ||nils, Cg Qs,||nils, if (out($1) C out(S3)) A ((in( $2) C in($4)) V out($4) = 0) 
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The following theorems concern the internal choice operator. Theorems Ic; 3 state com- 
mutativity, associativity and idempotence. Theorems Ic45 67 state the distributivity of all the 


operators of I/O automata (DIOA) over @. Theorem Ics is immediate. 


Proposition 4.2.4 (internal choice theorems) Let e, f,g be I/O automata. The following 


theorems are sound. 


Ic, eD f=aq fe 


Ie. (CB f) Bg =QeS(f SQ) 
Icz €=g ede 


Ic, a.(eP f)=qa.eGa.f 


Ie; (€ ® f) rts 9 =o (erts 9) O(f rts 9) 
Ics T(e ® f) =Q Tre) @ Tr(f) 


Ter (e @ Pilg =e (ellg) ® (Ila) 


Icg eLge Df 


The following theorems concern the external choice operator. This is the most complicated 
operator of DIOA. The first two theorems state a sort of commutative and associative property. 
In fact they are not really commutative and associative properties since the operator changes. 
Theorem Ec3 states a sort of idempotence property. This property is not valid in general since, 
as noted in the introduction, the parameters of the choice operator play an important role. 
Theorem Ec, permits duplicating an automaton e inside a choice context. Theorem Ec, is 
different from theorem Ec3 in that the presence of parameter J does not require any condition 
on Wsi(e). 

Theorems Ecs 67,3 deal with the possibilities of adding or removing automata from a choice 
context. Their combinations give rise to theorems Ec;5,15. Theorem Ec; is particularly inter- 


esting since it expresses the main idea of our demonic approach: if e is not specifying anything 
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about the occurrence of an input action a then any choice of implementation in the presence of 
a is correct. 

Theorem Ecy is a direct consequence of the definition of function Wsz. Its use, associated 
with theorems Ec; 7, gives rise to theorem Ee,,. Theorem Ec,, permits to minimize the 
cardinality of the parameters of the external choice operator. Finally, theorems Eejo11,12,13 


state some relationships between the internal and external choice operators. 


Proposition 4.2.5 (external choice theorems) Let e, f,g be I/O automata. The following 


theorems are sound. 


Ec; e;t+ys f =o fstre 
Ee, (e;+y7 f) nst+K 9 HQ €rtsuK (f atx 9g) 
Ec; € =g e;t7e if Wsi(e) CLUS 


Ec, e;t+y f=qleatxe)rti f fl CHU 
(not( Quiet(e)) A not(Inten(e))) V Quiet(f) 
° eCgertif 
(not( Quiet(e)) A not(Inten(e))) V Quiet(f) 
° erty 9g Co (eatK fi rts g 


if J Wsi(f) CT 


if KA Wsi(f)A IC H 


Quiet(f) —. ; ; 7 
Ec, cit) Flor if Wsi(e) CI and Wsi(e)N J = 0 
Ecs Quiet) if Wsi(e) 1 C H and KA Wsi(e)N I =0 


(extK f)rtrg lo ertig9 
Ecy € =g €;+7,a.Q if Wsi(e) CI and Wsi(e)n J = 0 


Ee;) a.e;t+ya.f =qa.(eGf) ifa€ out(e)U(IN J) 


Ee;; erty f Cg e@ f where Wsi(e)N Wsi(f) CLUS 


, Quiet(e) <= > Quiet(f) A not(Inten(e)) A not(Inten( f)) 


erts f=qedf if Wsi(e)U Wsi(f) CIN J 


a € in(e) V (not( Quiet(q)) A not(Inten(q))) V Quiet(f) if Wsi(g) C K, and 


Ecis (a.ert+ys f) BG Sq (a. erty f) B(a.e r+K g) {a} ni C{a} nk 


Al 


The following theorems are derived from the theorems above: 


Ec,4 e;+z f =g € nfatts\fa} fifae I\ Wsi(e). 


let 
Ecis _Quict(f) where Wsi(e) C I 
€=Q € ito 
be. Quiet(f) 


PT =O 
ert+s 9 =q (ert+K f) rts 9 ! 


Proof. We prove only theorem Ec3. Other examples of proofs are given for the hiding theorems. 
Due to Proposition 3.2.1 of chapter 3, the proof can be given by using the transition rules for 


DIOA. We also use a new notation e —> e’ meaning that there are two automata f, f’ and two 


integers 7,7 such that e r f—f Toe. 

Let t be an external (quiescent) trace of e. If t = \ and t is quiescent, then, by definition 
of quiescent trace, there is a quiescent automaton e’ such that e =s e’. From rules ech, 5 
er+ye Ss el r+,’ which is quiescent. Therefore, \ is an external (quiescent) trace of e;+, e. 
If t 4 A then t = at’ for some external action a. In particular there is an automaton e’ such 
that e —> e’ and t’ is an external (quiescent) trace of e’. If a € [UJ U out(e), then, from 
rules ech; 2, € ;+  € => e’, hence at’ is an external (quiescent) trace of e ;+, e. concluded; if 
a¢gIUJUout(e) then, from rule echs, e -+7 e —> 2 and ¢ is trivially an external (quiescent) 
trace of e ;+ 7 € since any trace is a quiescent trace of 2. 

Conversely let ¢ be an external (quiescent) trace of e;+,e. If t = A and ¢ is quiescent, then, 
by definition of quiescent trace, there are two quiescent automata e’,e” such that e ;+ , e ae 
e’ ;+; e” where e se and e > e”. The fact that \ is a quiescent trace of e is immediate 
from the hypothesis above. If t 4 \ then ¢ = at’ for some action a. If a € IU J U out(e), then, 
from rules ech, », there is an automaton e’ such that e ;+, e => e’ where e => e’ and ?’ is an 
external (quiescent) trace of e’. The conclusion is immediate once again. If a g [UJ U out(e), 
then a is an input action and a g Wsi(e) since Wsi(e) C TU J. From the definition of Wsi, at’ 
is an external (quiescent) trace of e, hence the proof is concluded. | 

The following theorems concern the hiding operator. The first seven theorems show the 
relations between the hiding operator and the other ones. In particular theorem I, establishes 
the distributivity of hiding over choice (this is the place where function Wso is used); theorem 


I; is simply a way of saying that internal actions can be renamed. Theorems Ig state some 
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ways of dealing with the hiding operator when it does not distribute over prefixing or external 
choice. 

The rest of the theorems permit eliminating/adding internal actions from automata. Theo- 
rem I,o essentially says that 7;(e) is an implementation of 7;(7.e). In fact the second automaton 
can move to the unspecified state with every input action before performing action 7, while the 
first process may not. The condition for which the two automata can be considered equivalent 
is when also 7;(e) can perform any trace after any input action. A sufficient condition is then 
Wsi(e) = 0 and this is what is stated in theorem I). 

Theorems Ij. 13 permit eliminating explicit internal actions, possibly by transforming an 
external choice into an internal one. Theorems I,45 permit eliminating the hiding operator 
from particular classes of I/O automata that are expressible through DIOA expressions. These 
theorems are particular important in their axiom version to achieve completeness. 

Theorems Ig 17 are derived from the above theorems and are useful for the applications. 
Theorem I,, eliminates internal actions interleaved with an external one. Note that, by using 
the external choice theorems together with theorems I); 12,13, the statement of theorem I,. can 
be generalized to the case in which there is any number of hidden actions interleaved with a. 

Theorem [7 says that, if the effect of a prefix with an internal action is simply to temporary 
block a process that can perform only locally controlled actions, then the prefix can be removed 


and the automaton can be simplified. It is a consequence of theorems I,3 and Ec,» 4. 


Proposition 4.2.6 (hiding theorems) Let ¢, f,g be I/O automata and let i € I. The fol- 


lowing theorems are sound. 
I, mle) = € 
I, t(nil) Sg nil 
I; Tr(a. €) =g a.Tr(e) fag] 
I, tle atk f) =9 tHe) atk Tf) if Wso(e) I = Wso( f)NT=9 
Is t,(77(€)) =@ Trus(€) 


Is tr(e)|\t7(f) SQ Trus(ellf) ff 1M acts( f) = J Nacts(e) = 0 
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I, € =g ple) if p is the identity function 
Tre) Eg TS) 


T(a.e) Cg Tr(a. f) 


Tr(e) Eg Tr(g) 
TrentkK f) Ee tg atk f) 


I 0 T7(€) Lg T(t . €atK f) 


— 


Ii, T(t. e) =q Tre) if Wsi(e) = 0 
not( Quiet(e)) A not( Inten(e)) 
Tr(e xtot. f) =o THe f) 


Quiet(e) 
Tile nto ?t. f) =o tHe KtK f) 


Tr((Qs,||rels, || +++ [|n2ls, lle) =e Tr(Qlle) tf Vi<j<n(out(So) MN in(S;) A L)\in(e) FO 


if Wsi(e) C H 


if Wsi(e) C H and Wsi(e) C 


= 
as 


= 
ot 


T1(Qs,||nils, || ---||nils,) SQ Qsoyrllrils rl] ---[|nils, yr of Vicicnout( So) M in(S;) NT =0 
The following theorems are derived from the theorems above: 
Tig Tr(G.%.€ fajnintey to t-@.€) =Q Tr(a.e€) if Wsi(e) = 0 
Tiz tr. (e gts floats f) =e Trle ots f) if Quiet(f) and Wsi( f) C J 

Proof. We only prove theorems I). 131415. The other theorems are proven in the same way. 


I,. Let ¢ be an external (quiescent) trace of 7;(e#+ ?.f). By the transition rules for 7; and the 
definition of external trace, there is a trace t’ of ey +gi.f such that t/[ext(t;(ey+oi.f)) =t 
and t’ leads the system to a quiescent state if t is quiescent. Note that, since T;(e#+ 92. f) 
is not quiescent, t’ 4 A if ft = A and ¢ is quiescent. Since no internal actions are enabled 
from e then the first action of t’ is not tT and rules ech, ; are not used for the first transition 


of t’. We distinguish the following cases: 


(a) rule ech, is used for the first transition of ¢ 
In this case e€ y+yi. f —> e' for some action a where e —> e’. By rule ich, 


e®f + e—+e’, hence ¢ is trivially an external (quiescent) trace of T;(e ® f). 
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(b) rule ech, is used for the first transition of t 
In this case e y+y)i. f —>+ f and tre w+t+ot.f) — 7/(f). By rules ich; and tau, 


tr(e@ f) + 7,(f) and the conclusion is immediate again. 
(c) rule ech; is used for the first transition of t’ 


In this case e y+g7. f > © for some input action a ¢ H. In particular ¢ = at” for 
some trace ¢t” and, since H C Wsi(e), a € Wsi(e). From the definition of Wsi we 
have that at” is an external (quiescent) trace of e, hence at” is an external (quiescent ) 


trace of T;(e @ f). 
A similar and simpler argument shows the converse trace inclusion. 


Let ¢ be an external (quiescent) trace of 7;(e wt i. f). If t = A and ¢ is a quiescent 
trace, then, since e is quiescent and 7. f is not quiescent, it must be t;(e w+9 7. f) — 
r(f) => t,(f’) where f’ is quiescent. On the other side r;(e k+x f) => T1(g) where 
either g =e x+x f' or g = f’ depending on the trace leading to f’. Since e€ is quiescent, 
then in both cases g is quiescent and A is a quiescent trace of T;(e x +x f). Suppose now 
that t # \. By the transition rules for 7; and the definition of external trace, there is a 
trace t' of e w+q7. f such that t/[ert(t;(e wt+o7. f)) = t and t’ leads the system to a 
quiescent state if ¢ is quiescent. Since no internal actions are enabled from e, then the 
first action of ¢’ is not 7 and rules ech, are not used for the first transition of t’. We 


distinguish the following cases: 


(a) rule ech, is used for the first transition 
In this case e 7+ 9%. f —> e’ for some action a where e “+ e’ and a € H Uout(e). If 
aé€ K Uout(e) then rule ech, is applicable to e «+x f leading the right automaton 
to 7;(e’). The conclusion is then immediate. If a ¢ K U out(e) then rule echs is 
applicable to e «+x f leading the system to 2. The conclusion is immediate again. 
(b) rule ech, is used for the first transition 


In this case e ytgi. f -, f and t;(e ty i. f) > 7(f). Let t! = irrbt”. Since 


T’bt” is a trace of f, we have that df’, f’|f aa f' -, f” where t” is a trace of f” 


leading the system to a quiescent state if ¢ is quiescent. By the transition rules for 
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the external choice operator, e e+K f Tee ktkK f' , g where g is either f” or 0 
depending on the rule used for the 6-transition (echy or ech;). In both the cases ¢” 
is a trace of g leading the system to a quiescent state if ¢ is quiescent. The conclusion 


is then immediate. 


(c) rule echs is used for the first transition 


In this case e ty i. f —> Q for some input action a. In particular a ¢ Wsi(e), 
hence rule echg is also applicable to ex +x f leading the right automaton to 2. The 


conclusion is then immediate. 
A similar and simpler argument shows the converse trace inclusion. 


For each 1 < i < n choose a; € (out( $9) N in(S;) A L)\in(e). Then 
(Qs, ||nils, |] +--[[nAls, lle “S" (Qso[]2s, |] --[]s, lle and 


T1((Qs,||nils,|] += ||néls, )lle) => rr((Mso|]2s, |] - 12s, )lle) 


which, by axiom P, is equivalent to 7;(Q||e), hence 


Tr(Q|le 


— 


Eg Tr((%s,|| nis, |] «+ [|nels, )lle)- 


The other inclusion is trivial since each process is less than 2 (use theorem M and the 


substitutivity rules). 


Let ¢ be an external (quiescent) trace of 7;(Qs,||n2s, || ---|]nils, ). We show by induction 
on the length of ¢ that ¢ is an external (quiescent) trace of Qs,\r||n2ls,\rl|---||n2ls,\r- If 


t = A then the result is immediate since A is a quiescent trace of any automaton of the 


form Q||nil||---||nil. If t A A then t = at’ for some external action a. By the definition of 
external trace and the transition rules for r;, we have that Qs,||nils, || ---||nils, ~+ e > 


e’ for some e,e’,t; where ¢, has actions in JU {r}. Since Vi <j<,out(So) Nin(S;) NL = 0, 


then e = f||nils,||---||néls, where f is either Qs, or néls,. In the case f is nils, we have 
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that Qso\r|/nils,\r|| ++ ||nils,\r —. nils,\r||nils,\r||---||nils,\r using rule ome. Let 


J Qs yrllritsyrl|-- ims. if f = Qs, 
nils,\r||[nils,\r||- ++ ||nils,\r if f = nils, 
In the transition e > e’ there is a set of automata {nils,: 7 € J} of fl|nils,||---|[nils,, 


having a is an input action, that will move to 2. The set of automata {nils,.\7 73 € J} 
also move to 2 with action a on g since they all have action a as an input action. To 
conclude it is enough to collapse all Q automata by repeatedly applying axiom P, and 


successively apply the induction hypothesis. 


The inverse trace inclusion is easier to prove since each trace of Qs,\z||nils,\r|| - ++ ||nils,\r 


has no actions from I. 


4.3 Theorems for recursively defined processes 


In this subsection we present some tools to deal with recursion by stating some properties about 
recursive definitions. We first find a class of recursive DIOA equations having unique solutions 
up to quiescent trace equivalence, i.e., a unique fixpoint; then, on the same class of equations, 
we state some properties of their pre and post fixpoints. 

We consider the class of equations given by means of strongly guarded expressions (see 
Definition 4.3.2), i.e., expressions in which each process variable occurs within the scope of 
some not hidden prefix. For this class we can assure that every set of mutually recursive 
equations has a unique fixpoint. It is immediate to see that this property is not valid if we 


consider non-strongly guarded equations. Consider for example 


def 


X © ryay(a.(X||nil)) 


where nil has a single output action a and a ¢ acts(X). Then every automaton with the same 
action signature as X is a solution of the equation. 


Since recursion is expressed through DIOA expressions, we can interchangeably talk of 


AT 


expressions or talk of represented automata. Moreover we can interchangeably talk of transition 
rules applied to expressions or transition rules applied to automata. The only point in which 
it is not possible to talk about expressions is when some automata are substituted for the 
variables of a set of equations. We first introduce some notational conventions. We indicate 
with E a set of expressions {F,,...,F£,}. The same convention is valid for process variables 
and for automata. With the notation E[P/X] we mean the automaton obtained from FE by 
simultaneously substituting all its occurrences of X; with P; for every 7. With the notation 
E|P/X] we mean the substitution above repeated for every expression E; of E. 

We now introduce the notion of strongly guarded expression, which is then generalized to a 


set of equations. 
Definition 4.3.1 (strong guardedness) Given a set of actions A, 
e nil is strongly guarded with respect to A, 


e a.eis strongly guarded with respect to A iff a ¢g A or e is strongly guarded with respect 
to A, 


e €; Pe is strongly guarded with respect to A iff both e,; and e€» are strongly guarded with 


respect to A, 


e €; ;+ 7 €2 is strongly guarded with respect to A iff both e,; and e, are strongly guarded 


with respect to A, 
e 7,(€) is strongly guarded with respect to A iff e is strongly guarded with respect to AUT, 


e p(e) is strongly guarded with respect to A iff e is strongly guarded with respect to p~'(A), 


and 


e ele. is strongly guarded with respect to A iff both e; and eg are strongly guarded with 


respect to A. 
A DIOA expression e is strongly guarded iff it is strongly guarded with respect to 9. | 


Informally a DIOA expression e is strongly guarded with respect to a set of actions A iff 


every process variable of e occurs in a subexpression of the form 6.e’ of e where 0 is an external 
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action of e’ that is transformed (renamed) into an external action of e not belonging to A. The 
use of parameter A is due to the presence of the hiding operator. The intuitive idea behind 
a strongly guarded expression e is that no process variable affects any transition from e. The 


following definition extends the concept of strong guardedness to a generic set of equations. 


Definition 4.3.2 (strongly guarded equations) Given a set of equations X i E(X), an 


equation X; e E,(X) is strongly guarded with respect to A if JA,,...,A, such that 
1. VY; E,(X) is strongly guarded with respect to A;, 
2. AC A, and 


3. for each X; occurring within E;, A; UA’ C A; where A’ is the set of actions of X; that 
are hidden within £;. 


xe E(X) is strongly guarded if, for each i, X; 2 E,(X) is strongly guarded with respect to 
Q. 


We can now state the main theorem of this section. As a corollary we have uniqueness of 


fixpoint for strongly guarded equations. 


Theorem 4.3.3 (recursive substitutivity) Let X e E(X) be a strongly guarded set of 


equations and let P be a set of I/O automata. Then the following facts hold: 


1. if Pg E[P/X] then P Cg Aut(X); 


2. if ELP/X] Cog P then Aut(X) Eg P. 


oro ary ode unique solution o equa 10ns € % = R(X ead StTongiy Guarde SE 
Corollary 4.3.4 (uni luti f ti Let X & E(X) be a strongl ded set 


of equations and let P =g E[P/X] where P is a set of automata.. Then P =g Aut(X). 


Proof. Direct consequence of theorem 4.3.3. | 
The rest of this section is dedicated to the proof of theorem 4.3.3. The main idea of the 


proof is that, by unfolding a set of equations n times, every trace of length at most n can 
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be generated independently of the automata substituted for the variables X. The first lemma 
formally introduces the unfoldings of the equations and proves some properties that will be 


fundamental to allow the above idea to work. 


Lemma 4.3.5 (unfoldings) Given a set of process variables X consider the corresponding 
defining expressions E(X). Let E° = E(X) and, for each n > 1, EB” = ELE"-1/X]. Let P be 


a set of I/O automata. Then the following holds: 


1X =9 E” for each n. 


2. PLg E[P/X] => P Co E"[P/X] for each n. 


3. E[P/X] Co P => E"[P/X] Cog P for each n. 


Proof. 


1. By induction on n. If n = 0 then the result is immediate from the fact that XY = 9 E(X) 
for each process variable X. Suppose by induction that X =9 E”. By substitutivity, 
[X/X] =o E[E"/X]. Since, by the base case, E[X/X] =o X and since, by definition, 


esp 


E(B" /X] is E’+1, we can conclude that X =9 E’t', 


2. By induction on n. If n = 0 then the assertion is true by definition. Suppose by induction 


that P Cg E”[P/X]. By substitutivity, E[P/X] Co ELE"[P/X]/X]. Since by hypothesis 


P Cg E[P/X] and since, by definition, E[E"[P/X]/X] is E’*"[P/X], we can conclude 
that Pg E+ ![P/X]. 


3. By induction on n. If n = 0 then the assertion is true by definition. Suppose by induction 


that E"[P/X]Co P. By substitutivity, E[E"[P/X]/X] Coq E[P/X]. Since by hypothesis 
E[P/X] Co P and since, by definition, E[E"[P/X]/X] is E’*"[P/X], we can conclude 


that E°+![P/X] Cog P. 
| 


The following lemmas essentially state the independence of the traces of length at most n 


from the automata substituted for the variables of E”. 


Lemma 4.3.6 Let E(X) be strongly guarded and let E(X) —+ E'(X). Then 
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1. E'(X) is strongly guarded and 


2. for each set of automata P, E(P/X] > E'[P/X]. 


Proof. We prove a more general result: Let F(X) be strongly guarded with respect to A and 
let E(X) “+ E'(X) where a € AU {r}. Then 


1. E'(X) is strongly guarded with respect to A and 
2. for each set of automata P, E[P/X] + E’[P/X}. 


The lemma follows by taking A = @. We proceed by induction on the structure of FE. If F = nil 
or & = (2 then the result is trivial since no variables are contained in F. The result is trivial 
also when F is a process variable since F is not strongly guarded. For the induction step we 


consider cases depending on the most external operator. 


Case 1 prefixing 


Let F=a.F,. Ifa # a then the result is trivial since the only admitted transitions with 
action a from FE move the system to Q. If a = a then the transition is a. BE; > EF, and, 
since a € A, EF, is strongly guarded with respect to A. Moreover a. E'(/P/X] > E,[P/X] 


for each set of automata P. 


Case 2 choice 


Let B= Fy pty Fo. By definition of strong guardedness both Fy, and FE, are strongly 
guarded with respect to A. For transitions to Q the result is immediate; for transitions 


involving F, or Ey the result follows directly from the induction hypothesis. 


Case 3 hiding 


Let fF =7,;(£,). By definition of strong guardedness F, is strongly guarded with respect 
to AUT. If 7;(£1) — T(E’) where a € AU {r} then, by the transition rules, Fy . EB! 
where 6 € AUJU {r}. By induction EF’ is strongly guarded with respect to AU TI 
and E,[P/X] #, E'|P/X] for each set of automata P. In particular 7;(£’) is strongly 
guarded with respect to A and t,(£,[P/X]) “> 77(£'[P/X)). 
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Case 4 renaming 
Let F = p(F,). By definition of strong guardedness F, is strongly guarded with respect 
to p7'(A). If p( £1) — p(£’) where a € AU {r} then, by the transition rules, F ro) py 
where p~'(a) € p~'(A)U{r}. By induction E’ is strongly guarded with respect to p~'(A) 
and E,[P/X] pe) E'|P/X] for each set of automata P. In particular p(£’) is strongly 
euarded with respect to A and p(£,[P/X]) > p(E£"[P/X)). 


Case 5 parallel 


Let F = F,||F. By definition of strong guardedness both F, and F, are strongly guarded 


with respect to A. It is enough to apply the induction hypothesis to F, and EF» to conclude. 


Lemma 4.3.7 Let E(X) be strongly guarded and let E(X) 7, E'(X). Then 
1. E'(X) is strongly guarded and 
2. for each set of automata P, E[P/X] 7, E'[P/X). 


Proof. By induction on n. If n = 0 then the result is trivial. Suppose now that the fact is 
valid for n and let E(X) m, E'(X). By means of Lemma 4.3.6 we perform the first step and, 
by induction, we perform the remaining n steps. | 


To state the following lemmas we need a definition. 


Definition 4.3.8 (transitional equivalence between I/O automata) Twol/O automata 
A, B are transitional equivalent (A = B) iff their transition trees are isomorphic, i.e., there is 
an isomorphism / from the reachable states of A to the reachable states of B such that for each 


reachable q € states( A), ¢ — / iff h(q) > h(). 7 


In the following lemmas we use the transition rules for DIOA in order to derive the transi- 


tions of an automaton. 


Lemma 4.3.9 Let E(X) be strongly guarded and let P be a set of automata. Let E[P/X] “, 
O. Then 4E" : E(X) + E"(X) and O = E"(P/X). 


52 


Proof. The proof method is exactly the same as the one used in lemmas 4.3.6 and 4.3.7. Note 


that the lemma is valid also when P are expressions. | 


Lemma 4.3.10 Let E(X) be strongly guarded and let E(X) “+ E'(X). Then, for each set of 
automata P, E[P/X]—> E'[P/X). 


Proof. The proof method is exactly the same as in Lemma 4.3.6. | 


Lemma 4.3.11 Let E(X Y) be strongly guarded and let P be a set of automata. Let E[P/X| > 
O. Then JE": E(X) “+ E"(X) and O = E"[P/X]. 


Proof. The proof method is exactly the same as in Lemma 4.3.6. Note that the lemma is valid 


also when P are expressions. | 
Lemma 4.3.12 Let F(X) be strongly guarded. Then  € qtraces( E[P/X]) iff \ € qtraces(E). 


Proof. Suppose \ € gtraces( E[P/X]). By definition E[LP/X] =. O for some n > 0 where O 


is quiescent. By Lemma 4.3.9 JE”: E(X) 7 BMX ¥) and E’ = E"[P/X]. Suppose E” not 
to be quiescent. Then E”[X] “+ EB for some local action 0. By Lemmas 4.3.10 and 4.3.11 
there is a transition from O with action o. This gives a contradiction, hence KE” is quiescent 
and A € gtraces(E). The converse is analogous. = 


Before stating the main lemma we need a new definition. 


Definition 4.3.13 Let F(Y) be a DIOA expression with k variables, and X = E(X) be 
a strongly guarded set of & equations. F' is said strongly compatible with E if, for each Y; 
def 


occurring within Ff’, X; = &; (X) is strongly guarded with respect to A where A is the set of 


actions of Y; that are hidden in F' from the considered occurrence of Y;. | 


def 


Lemma 4.3.14 Let F(Y) be a DIOA expression with k variables, and let X = E(X) be a 


strongly guarded set of k equations where F is strongly compatible with E. Then 
F[E/Y] is strongly guarded; 


2. if F is strongly guarded and FUX] —+ F’ (where a could be +), then F' is strongly 
compatible with E. 
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Proof. Item 1 follows from the definitions of strong guardedness and strong compatibility; the 


proof of item 2 is by induction and follows the same lines of Lemma 4.3.6. | 


We can now prove the main lemma which relates the automata X to the automata sub- 
stituted for the variables. Note that lemma 4.3.5 plays an essential role in this proof. The 


introduction of F’ is necessary to set up an inductive process. 


Lemma 4.3.15 Let F(Y) be an expression with k variables, P be a set of k automata, and 
xe (X) be a strongly guarded set of k equations where F is strongly compatible with E and 
the variables of X are disjoint from those of Y. Let h be a trace of length n. Then h is an 


external (quiescent) trace of F[E"[P/X]/Y] iff h is an external (quiescent) trace of F[E"/Y]. 


Proof. We prove both directions by induction on n. We also use the following syntactical 


identities: 
1. F[E[P/X]/Y] = FLB/Y][P/X). 
2. FUE" P/X]/Y¥] = FLE/Y\E"[P/X]/X). 

(=) Suppose that \ is an external (quiescent) trace of F[E[P/X]/Y]. From identity 7, is 


an external (quiescent) trace of F[E/Y][P/X]. By Lemma 4.3.14, F[E/Y] is strongly 


guarded and, by Lemma 4.3.12, A is an external (quiescent) trace of F(E/Y]. 
For the induction step suppose that ah is an external (quiescent) trace of FLE"*![P/X]/Y] 
where |h| = n. From identity 2, ah is an external (quiescent) trace of F[E/Y][E"[P/X]/X] 


and, by Lemma 4.3.14, FLE/Y is strongly guarded. From the definition of external trace 


and Lemmas 4.3.9 and 4.3.11 4F), Fy such that 
PUB /Y E(B /X]/X] 2 FLE"(P/X]/X] > ByLb(P/X)/X] 


where 


FLE/Y] = AX] & BLY] 


and h is an external (quiescent) trace of F,[E"[P/X]/X]. By Lemma 4.3.14 and a simple 
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induction argument fF is strongly compatible with E. By Lemmas 4.3.7 and 4.3.10 
FLE/Y\E"/X| > F[E"/X]  F[E"/X). 


By induction h is an external (quiescent) trace of F,[E”/X]. Therefore, since by identity 
2 FUE"! /Y] = FLE/Y][£"/X)], ah is an external (quiescent) trace of FLE"+"/Y]. 


(<) Suppose that is an external (quiescent) trace of F[E/Y]. By Lemma 4.3.14, FLE/Y] is 
strongly guarded and, by Lemma 4.3.12, \ is an external (quiescent) trace of FLE/Y][P/X]. 
From identity 7, \ is an external (quiescent) trace of F[E[P/X]/Y]. 


For the induction step suppose that ah is an external (quiescent) trace of F(E"+/Y] and 
suppose |h| = n. From identity 2, ah is an external (quiescent) trace of F[H/Y][E"/X] 


and, by Lemma 4.3.14, F[E/Y] is strongly guarded. From the definition of external trace 


and Lemmas 4.3.9 and 4.3.11, 4F, fy such that 
FLE/Y\[E"/X] 2 PLE" /X] + BE" /X] 
where 
FLE/Y] = FLX] + FLX) 


and fh is an external (quiescent) trace of F,[E"/X]. By Lemma 4.3.14 and a simple 
induction argument fF is strongly compatible with E. By Lemmas 4.3.7 and 4.3.10 


PLE/VE"P/XY/X] SF LE"[P/ XY X] BLE" [P/ 81/41. 


By induction fh is an external (quiescent) trace of F)[E"[P/X]/X]. Therefore, since by 
identity 2 FLE"t!|P/X]/Y] = FLE/Y]LE"(P/X]/X], ah is an external (quiescent) trace 
of FL" P/X]/Y]. 


We can finally prove Theorem 4.3.3. 


Proof of Theorem 4.3.3 (recursive substitutivity) 


1. Let A be an external (quiescent) trace of P; and let |h| = n. By Lemma 4.3.5 part 2, 
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h is an external (quiescent) trace of F[E"[P/X]/Y] where F = Y;. By Lemma 4.3.15, 
h is an external (quiescent) trace of FLE"(X)/Y] and, by Lemma 4.3.5 part 1, A is an 
external (quiescent) trace of FLX /Y]. Therefore h is an external (quiescent) trace of X; 


and Aut(X;). 


. Let fh be an external (quiescent) trace of Aut(X;), therefore an external (quiescent) trace 
of X;, and let |h| = n. X; can be expressed as F[X/Y] where F = Y;. By Lemma 4.3.5 
part 1, h is an external (quiescent) trace of FLE"(X)/Y] and, by Lemma 4.3.15, h is an 
external (quiescent) trace of FLE"[P/X]/Y]. Finally, by Lemma 4.3.5 part 3, A is an 


external (quiescent) trace of P;. 
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Chapter 5 


An Axiomatization for the Quiescent 


Preorder 


In this chapter we present the syntactic view of the theorems of Chapter 4 and we prove a 
completeness result for recursion-free expressions. 

The first step consists in converting the theorems of Chapter 4 into actual axioms by giving 
syntactic approximations of the semantic auxiliary functions; then the completeness result can 
be stated and proved. 

The completeness result is achieved through a special notion of normal form where the 
parallel operator is present. In general (see [ABV92]) the normal form contains only a 0 
process, a prefixing operator and a nondeterministic choice operator. In DIOA the parallel 
operator cannot be eliminated in general from expressions of the form QQ||ni/. The transition 
rules of DIOA, in fact, do not fit the format of [ABV92]. 

Once the normal form is identified, the completeness result is proven just for expressions 
in normal form and it is extended to general expressions by showing that each recursion-free 
expression with a finite interface has a provably equivalent one in normal form. 

The rest of the chapter is organized as follows: Section 5.1 presents approximations for the 
auxiliary functions of Chapter 4 given in terms of the syntactic structure of the expressions. 
By substituting the new auxiliary functions in the theorems of Chapter 4 we obtain actual 


axioms; Section 5.2 presents some classes of expressions that are used for the completeness 
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results; Section 5.3 presents other three axioms that can be easily stated using the notation of 


Section 5.2; Section 5.4 presents and proves the completeness result. 


5.1 Syntactic definition of auxiliary functions 


In this section we give an approximation of functions Wsi:, Wso, Localen, Quiet and Inten 
that is based on the syntactic structure of an expression. The new functions we define can be 
substituted for the auxiliary functions used in Chapter 4 giving a set of actual axioms. 

By looking at the way in which function Ws: is used in the theorems of Chapter 4, it is 
immediate to see that the approximation we need is an upper approximation of Wsz, i.e., we 
need a new function wsi, defined in terms of the syntactic structure of an expression e, such 
that, for every e, Wsi(Aut(e)) C wsi(e). One specific property of wsi to guarantee the above 


relation is the following: 


if a € in(e) and a ¢ wsi(e) then Je’ =9 Nie => e. 


Table 5.1 contains the actual definition of wst based on the property above. The definition of 
wsi is a bit complicated due to the presence of the two parameters A and B which are necessary 
for dealing with hiding and external choice operators. When dealing with the hiding operator 
it is not sufficient to look at the set wsi of its argument to establish the set wsz of the global 
expression: in fact all the hidden output actions must be considered internal. For this reason it 
is necessary to introduce an additional parameter A saying which actions should be considered 
internal in the evaluation of wst. On the other hand, when dealing with an external choice 
context, not all traces with elements in A can be performed because some of them may be 
forbidden by the operator itself (for example e cannot perform the input action a in e 9+, f). 
For the reason above it is necessary to introduce a second parameter B saying how the traces 
to consider should begin. Notice, however, that parameters A and B could be eliminated: the 
result is given by a coarser approximation of Ws with the effect of a weaker set of axioms. The 


following lemma is characterizes the relationship between Ws: and wsi. 


Lemma 5.1.1 For each DIOA expression e, Wsi( Aut(e)) C wsi(e). 
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wsia p(nil) = 
wst 4 p(Q) = f) 


usig pac) = fa} if a € in(e)\A 
AB 0 ifacout(e)UA 


wsi 4 p(€1 © €2) = wsi4 p(e1) M wsi, ples) 


0 if BN AN (in(e,)\TUS)) 49 
wsia pler rts €2) = 4 (LN wstg Ba(tuout(e,))(€1)) U (J 2 wst 4 Bal suout(es))(€2)) 
otherwise 


wst4 p(T(e)) = wsi aur,p(e) 
wsi a p(ple)) = pl wsiy-r¢ay,9-1(8)(€)) 
wst4 p(€1||e2) = wsig g(e1) U wsig g (es) 
wst4 p(X) = wsia p(E(X)) 


Table 5.1: Definition of wsi for DIOA. wsi(e) = wsig g(e) 


Proof. The lemma is a direct consequence of the assertion 


if a € in(e) and a ¢ wsi(e) then Je’ =p Nie => &’. 
The assertion above is implied by the following one when choosing A = 9: 


if a € in(e)\A and a ¢ wsia p(e) and BC ext(e) 
then Je’ =9 Nand h € A*,(h =A or first(h) € B), ande +4 e’. 


We show the last assertion by induction on the complexity of a guarded expression e. For 
unguarded expressions it is enough to substitute F(X) for each unguarded occurrence of a 
process variable X. 

The cases for nl and 2 are trivial since, for any input action, they both have only transitions 


to Q. For the other operators we have the following cases: 


Case 1 prefixing: 
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Let e = a.e' and suppose b ¢ wsi4 p(e) where 6 € in(e)\A. By definition of wsi, b # a, 


hence the result is trivial since a.e —+ Q for any input action 6 different from a. 


Case 2 internal choice: 


Let e = e; Geo and suppose a ¢ wsi(e) where a € in(e)\A. By definition of wsi either 
a ¢ wsi(e,;) or a ¢ wsi(e2). Suppose without loss of generality that a ¢ wsi(e,). By 
induction there is e = Q and h € A* such that h = A or first(h) € B, and e; a4 e|. By 


. . x ha 
first using rule ich, we have e,; © e2 —> e; => e}. 


Case 3 external choice: 


Let e = €,;+7€2 and suppose a ¢ wsi4 p(e) where a € in(e)\A. If BNAN(in(e,)\(LUS)) F 
0 then the result is trivial since e, ;+y €2 —> Q + 2 where bE BN AN (in(e,)\(TU J)). 
If BN AN (in(e,)\(LU J)) = @ then one of the following cases holds: 


l.agIuUd 
This case is trivial since e; +7 €2 —> 2. 

2.a€ TUS anda ¢ (JU wsia Bacruout(er))(€1)) 
In this case we apply the induction hypothesis to e,. Let e{,h such that e = 0 and 
€1 24, e|. Ifh = A then rule ech, can be used to derive e, + 7 €2 — e, since a € I; 
if h # A then, by induction, first(h) € IU out(e,), hence rule ech; can be used 
again. 

3.a€ TUS anda ¢ (LU wsig par suout(er))(€2)) 


Similar to the previous case. 


4.a€IUS and a ¢ wsig4 pr(tuout(er))(€1) U W8t 4, Bal suout(es))(€2) 
In this case a € J or a € J. Suppose without loss of generality that a € J. The 
analysis is then the same as for item 2. 
Case 4 hiding: 


Let e = 7;(e’) and let a ¢ wsi4 p(e) where a € in(e)\A. By definition wsi, p(77(e’)) = 
wstaur,p(e’). By induction there exists e” =g 2 and h’ € (AU J)* such that h’ = A 
) 


or first(h’) € B, and e' 2% e’, From the transition rules r;(e’) 4% 7;(e’) where 
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h = h'lext(e). Notice that, if h’ # A, then first(h) € B since B C ext(e). In particular 
T(e”) =g Qand h =X or first(h) € B. 


Case 5 renaming: 
Let e = p(e’) and suppose a ¢ wsi4 p(e) where a € in(e)\A. By definition wsi4 p(p(e’)) = 


pwsiy-(ay -1(p)(€")), hence p~(a) £ wsip-r(ayp-rcay(e") and p-'(a) € in(e")\p~!(A). By 
induction there exists e” =g 2 and h’ € p~'(A)* such that h’ = \ or first(h’) € p7'(B), 
, rp a) é! 


and e ’, From the transition rules p(e’) 4% p(e’) where h = p(h’). In particular 


p(e”) =9g Qand h =X or first(h) € B. 
Case 6 parallel: 
Let € = e;|/e. and suppose a ¢ wsi4 p(e) where a € in(e)\A. The conclusion follows 


directly by applying the induction hypothesis to both e, and é2. 


a 
For function Wso we define an approximating function that satisfies the following property 


for each expression e: 


if a € out(e) and Je'|e => e’ then a € wso(e). 


Table 5.2 contains the actual definition of function wse. Unfortunately wso is not well defined 


for all DIOA expressions. Consider for example the process 


X 2 r44)(a. (X||nil)) 
where a is an output action of nz/ but not an action of X. The application of the definition of 
wso gives wso( X ) = wso(X). The problem is essentially due to the third case in the expression 
of wso4 p(a.e) where the prefix a is skipped and expression e is considered. One way to avoid 
the problem is to replace wso4 4(e) with out(e)\A in the expression for wso4 p(a.e); another 
way is to consider only those expressions for which wso is well defined, i.e., strongly guarded 
expressions as defined in Definition 4.3.1 of Chapter 4. On strongly guarded expressions the 
third case of the expression for wso,4 p(a.e) does not cause any problem since a process variable 


will never be reached. 
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) if AN BN in(nil) = 9 
out(nil)\A otherwise 


wso,4 p(nil) = 


wso0(Q) = out(Q)\A 


out(e)\A if BN Anfa} 40 

{a} Nout(e) if BN ANfa}=OandagA 
wso 4 4(€) if BN An {a} =Oandaec ANB 
0 if BN An {a} =@ and ac A\B 


wso, p(@.e) = 


wso4 p(€1 ® €2) = wso4 p(€1) U wso, p(€r) 


J W804 Ba(ruout(e,))(€1) U W804 Ba(suourt(e, )(€2) if BN ANTUS=90 
wso, p(€1 ity €2) = out(e,)\A otherwise 


wso 4 p(Tr(€)) = ws0 4ur,pur(e) 


ws0a.p(p(€)) = p(Ws0p-1(4),p-1(B)(€)) 


wso4 4(€1)U wso, a(eo) if dae BN A: a € acts(e,)\ert(es) 
ws0 4 p(€1||€2) = or a € acts(ez)\ext(e,) 
wso, p(€1) U wso4 p(€2) otherwise 


wso4 p(X) = wso4 p(E(X)) 


Table 5.2: Definition of wso for DIOA wso(e) = wsog 9(€) 
The relationship between Wso and wso is then the following: 
Lemma 5.1.2 For every strongly guarded DIOA expression e, Wso( Aut(e)) C wso(e). 


Proof. The lemma is a consequence of the assertion 


if Je’: e => e' for a € out(e), then a € wso(e). 


The assertion above is implied by the following one when choosing A = @): if e is strongly 


guarded with respect to A and de’,h such that h € A*, h = X or first(h) € B, and e a4 o! 
where a € out(e)\A, then a € wso,4 p(e). The lemma then follows by choosing A = 0. 
We show the last assertion by induction on the complexity of an expression e and we analyze 


each single operator. Clearly, since e is strongly guarded, e is not be a process variable. 
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Case 1 nil: 


Let e = nil and suppose de’,h € A* such that h = A or first(h) € B, and e “4 ¢! where 
a € out(e)\A. Since the only transitions for nil are labelled with input actions, it must 
be h # A, first(h) € in(e) and first(h) € B. This implies that AN BN in(e) 4 0. By 
definition, wso,4 p(e) = out(e)\A, hence a € wso,4 p(e). 

Case 2 omega: 


This case is trivial since wso,4 p(Q) = out(Q)\A. 


Case 3 prefixing: 


Let e = a.e’ and suppose Je”,h € A* such that h = A or first(h) € B, and e el 


where 6 € out(e)\A. We distinguish four cases: 


1. Bn An{ay FO 
This case is trivial since, by definition, wso,4 p(e) = out(e)\A. 

2. BN An{a}=Mandag A 
In this case h = A, hence a must be an output action and b = a. By definition 
wso4 p(e) = {a}, hence b € wso, p(€). 

3. BN Anf{a}=Pandae ANB 
In this case h = ah’ where h’ € A*. In particular a.e’ + e’, hence, by induction, 
b € wso, a(e’). Notice, in fact, that e’ is strongly guarded with respect to A. By 
definition wso4 p(€) = wso, 4(e’), hence b € wso, p(e€). 

4. BN AN fa} =Qandae A\B 


In this case h = A. Moreover, since a € A, 6 cannot exist. 


Case 4 internal choice: 
This case is a simple application of the induction hypothesis after observing that ha must 
be an external trace of one of the arguments of &. 

Case 5 external choice: 
Let e = e; p+ €2 and suppose e; ;+y €5 “4 e! where h € A*,h=X or first(h) € B, and 


a € out(e)\A. We distinguish two cases: 
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1. BnAnTUus=0 
In this case rule echg cannot be used for generating h, hence the only way to per- 
form an output action is by first choosing between e, and e, using rules ech, 5. In 
particular the first external transition yielding ha is obtained by applying rule ech, 
or ech,. Suppose without loss of generality that the applyed rule is ech,. In this 
case we have that e; 2% e' and h =A or first(h) € [U out(e,). By induction, then, 
ae WSO 4, Ba(IUout(e,))(E1): A symmetric argument holds if the applied rule is ech.. 

2, BN ANTUJZO 


This case is trivial since, by definition, wso(e) = out(e)\A. 


Case 6 hiding: 


Let e = r,(e’) and suppose 7,(e’) 2% 7,(e) where h € A*, h = X or first(h) € B, 
and a € out(e)\A. By definition dh’ € (AU J)* such that h’JA = h and e’ Aa el, 


Clearly, if h’ # A, first(h’) € BUT, hence, by induction, @ € wso4urpur(e’) giving 
a € wso, p(T7(e’)). 

Case 7 renaming: 
Let e = p(e’) and suppose p(e’) 2% p(e”) where h € A*, h = X or first(h) € B, and 
a € out(e)\A. By the transition rules e’ POY en, Clearly, p7'(h) € p7'(A)* and, if 
p '(h) # A, first(p7'(h)) € p7'(B), hence, by induction, p~!(a) € wse,-1;4),p-1(8)(€’) 
giving a € wso,4 p(ple’)). 

Case 8 parallel: 


Let e = e,||e2. By definition 


wso, 4(€1)U wso,4 a(€o) if da € Bia € acts(e,)\ext(e2) 
wso(e,|le2) = or a € acts(e,)\ext(e; ) 


wso, p(€1) U wso4 p(€2) otherwise 


Suppose €,||es “4, ¢! where h € A*,h=AX or first(h) € B, and a € out(e)\A. Suppose a 
is an output action of e,; (the case for ey is analogous). By the transition rules it is a simple 


induction argument to see that, if e{ is the left component of e’, then e; (Macts(e))a e;. If 
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localen(nil) = 0 

localen(a.e) = {a} M out(e) 

localen(e€, @ €2) = localen(e,) U localen(e2) U {7} 
localen(e€, r+ 7 €2) = localen(e,) U localen( ez) 
localen(T,(e€ ) = localen(e) 

localen(p(e)) = p(localen(e)) 

localen(€,||e2) = localen(e;) U localen(e2) 
localen( X ) = localen( F(X )) 

inten(e) = true iff {7} € localen(e) 


( 
quiet(e) = true iff localen(e) = 9 


Table 5.3: Definition of localen, inten and quiet 


h = \ then, by induction, we immediately have that a € wso4 p(e,) and a € wso,4 a(e1). 
If first(h) € acts(e,) then again a € wso,p(e,) and a € wso, a(e1). If first(h) € 
acts(e,)\acts(e,) then we can only conclude that h[acts(e,) = A or first(h[acts(e,)) € A, 


hence a € wso,4 4(€1). In all the cases the conclusion is that a € wso,4 p(€1||e2). 


Remark 5.1.3 Functions ws? and wse could have been defined in several different ways. In 
this section we have just presented some arbitrary definition that, in our judgement, permit 
capturing the relationship between a large amount of expressions by means of the axioms of 


Section 4.2. 


Functions Localen, Inten and Quiet can be easily defined in terms of the syntactic structure 


of an expression. Their definition is in table 5.3. 
Lemma 5.1.4 Given a DIOA expression e, 

1. localen(e) = Localen( Aut(e)), 

2. inten(e) = Inten( Aut(e)) and 


3. quiet(e) = Quiet(Aut(e)). 


The following theorem is then straightforward. 
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Theorem 5.1.5 The omega, renaming, prefixing, internal choice, external choice and hiding 
theorems for I/O automata are sound axioms for DIOA when expressions are interpreted as 
DIOA expressions and the syntactic auxiliary functions are substituted for the semantic auxiliary 


functions. | 


5.2 Prefix forms 


In this section we present some special classes of expressions called normal forms. The presen- 
tation also includes a definition of an unparameterized external choice operator which is useful 


for simplifying the notation. 


Definition 5.2.1 (normal forms) A DIOA expression e is in prefix normal form if one of the 


following conditions holds. 


a 
fan) 
II 


= Q||nil|| ---||nzl (atomic expression) 
2. e=a.e' where e’ is in prefix normal form 


3. € = €1 wsife;) twsi(er) €2 Where e; and e€, are in prefix normal form but not atomic. 


A DIOA expression e is in internal prefix form if e = e; ®---Ge, where each e; is in prefix 


normal form. We abbreviate e; @---Ge, with W e;. | 


The reason for the complexity of item 1 is that in general the parallel operator cannot be 
eliminated from an atomic expression. 

When dealing with expressions in prefix normal form it is possible to drop the parameters 
from the external choice operator; moreover, when ¢€ is not an atomic expression different from 
nil, it is possible to use the notation e = )7,-,; a; .e; where [ = # means e = nil. 

The above idea also suggests the use of an unparameterized choice operator + to simplify 


the notation for expressions when possible: e + f is defined to be € wsice)twsicp) f- 


5.3. Other axioms 


In this section we present other three important axioms which can be easily stated using the 


prefix normal form. The first two axioms are the expansion axioms, giving the possibility to 
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convert a parallel composition of n expressions into a nondeterministic composition of expres- 


sions. 


Proposition 5.3.1 (expansion axioms) The following axioms are sound: 


E, Lete = Qz,||nils,||---||nils, be of sort S. For each a € out(Sy)Uin(S) let e, be the unique 


state that e reaches with action a. Then € =Q (Ylacout(soyuin(s) &+ €a) B (Nacin(s) @+ Ca): 


E, Let e = e,|Je2||---||en where each e; is of the form >), ai; .e:3- For each action a € ext(e) 


let 


Bi {e;|a;; =a} if a € acts(e;) 
° {e;} otherwise 


Let out(a) be the index j such that a is an output action of j (0 otherwise) and let 


0 if out(a) #0 and Ee) =O 
{fill---llfp i fi € LL V (EL HON fp =Q)} otherwise 


Then € =Q oacent(ey( ope ky a.f). 


The third axiom concerns atomic expressions. We also prove that the axiom below com- 
pletely characterizes the quiescent preorder for internal choice compositions of atomic expres- 


sions. 


Proposition 5.3.2 (completeness axiom) The following assertion is valid: 


Cp, Let e;,,0 <i<n be atomic expressions and, for each action a, let f% be the state that e; 


reaches with action a ( if no state exists). Then e9 Cob yejen €: Uf, for each action a, 


either 
1. fp =e,0<t<n or 
2. ff = or 


3. fo CQ jez. fi. 
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Proof. 

Soundness 

Suppose, for each action a, one of the conditions 1, 2 or 3 to be valid. Let ¢ be an external 
(quiescent) trace of €9. The case for t = A is trivial since \ is a quiescent trace of any atomic 
expression. Let ¢ = t,t. where ¢, is the longest prefix of ¢ such that each e; 4, e; by means 
of self loop transitions. If t = A then trivially ¢ is an external (quiescent) trace of (By <j<y, €:) 
using the same argument as for \. Suppose t, = ats for some action a and let e9 —> fé. 
ts is then an external (quiescent) trace of ff and, by hypothesis and the definition of ta, 


tz is an external (quiescent) trace of (Dyoz, fi) and {f # e} A QM (in fact conditions 1 


a 


and 2 are false). This implies that 4j : ts is an external (quiescent) trace of f*. Moreover 
(Dicey €:) SS 6; eo fj, hence ¢ is an external (quiescent) trace of (Bl, <j<n i): 


Completeness 


Let €) Cg jc, €:) and suppose conditions 1, 2 and 3 to be false for some action a. 
Since, by condition 2, f? # ¢, we have that e7 + f%. Since condition 3 is false, then either 


{fe #e} =Oor fi Zo (Wyez, ff). The first case cannot hold, for which otherwise a is an 


external trace of e, but not an external trace of (®,<;<, e;). Let t = at’ where ?t’ is an external 
(quiescent) trace of fy but not an external (quiescent) trace of (Piyoz, f'). We show that t is 


a 


not an external (quiescent) trace of (B), <;<,, €;). Suppose the contrary. By Lemma 5.4.3, ¢ is an 


external (quiescent) trace of e; for some i > 0. In particular e; “+ f%, hence ¢’ is an external 


a 
a 


(quiescent) trace of 


, ie., is an external (quiescent) trace Of Di paz ff, absurdum. | 


5.4 Completeness results 


In this section we prove the completeness result for recursion-free expressions. It is achieved 


through the following steps: 
1. the completeness result is shown for expressions in internal prefix form. 


2. each recursion-free expression is shown to have a provably equivalent expression in internal 


prefix form; 


The main theorem is then the following: 
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Theorem 5.4.1 (completeness) Let e, f be recursion-free DIOA expressions with a finite 


interface. Ife Co f then AF e Cg f where A is the set of all axioms presented in this thesis. 


The completeness result for expressions in internal prefix form is shown through an addi- 
tional axiom. We prove its soundness by using the axiom version of the theorems of Chapter 


4. We first state some simple lemmas. 


Lemma 5.4.2 Let e = 0;-,a;.¢;. Then 


wsi(e) = {a;:t€ I} Nine) and 
wso(e) = {a;: 7 € I} out(e). 


Proof. Direct application of the definitions of wsi and wso. | 


Lemma 5.4.3 Let e =b),., e;. Then 


ie! 
1. etraces(e) = Ujer etraces(e;) and 
2. qtraces(e) = User gtraces(e;). 


Proof. Simple consequence of the transition rules for @. | 


Proposition 5.4.4 (completeness axiom) The following assertion is valid: 


Cp, Lete =), 4;.e; and f =p), f; where f; = 0, oj4 + fpr. For each a,j let 


a oj esa fixe i tklbj, =a} #9 


° otherwise 


Then e Ca f iff the following three conditions hold: 


(a) quiescent(e) => Jj : quiescent( f; ) 
(b) Vi (e; [QP ytize g; and Aji gs F °) or (a; € in(e) and Aj: g7' =e) 


(c) Va € (\(wsi( fj ))\ wsi(e) 2 Eey’, 9} 
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Proof. 
Soundness 


Suppose conditions 1, 2 and 3 to be valid. We perform the following quiescent equivalence 


preserving transformations on e and f: 


1. Using axiom Ec, add a. to each expression f; such that a ¢ wsi(f;) and a € wsi(e) U 


wsi( f). Do the same on e. 


2. Using axiom Ec); replicate on all the f;s each summand a. f; of each f, where a is an 


input action. For example (a. f{ + fi!) ® fe ®---@ f, becomes (a. fi + fi) (a. fl + 
fo) Bs Ola. fi t+ fr) 


3. Repeat the operation of 2 for summands a. f, where a is an output action. Only non 


quiescent expressions can be considered. 
4, Using axiom Ec;3 group all expressions with a common prefix in each expression f;. 


5. Reduce to a. Q each summand of the form a.(Q.@---) of each f;. This step is possible 


since it is immediate to prove e =g e @Y by using axioms M and Ics. 
6. Merge equal expressions on the f-side using axiom Ics. 


The new expressions e’ =g e and f’ =g f coming out from the above manipulations are 


e=e+t S- a.Q 
a€wsi(f)\ wsi(e) 


and 
f' = (f" + Soa. fe fl 
actA 


where A is a set of output actions, 


f"s( do a. ft), 


a€ wsi(e)Uwsi(f) 
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and each f7’ is 


Ligtzte g; ifa € out(e) or (a € in(e) and Ajlg; = ¢) 
Q if a € in(e) and Aj|gs = @) 


Notice that the right expression f’ appears only if there is at least a quiescent f;. We now 


distinguish two cases: 


1. € is quiescent 


In this case e’ is also quiescent and, by hypothesis there is a quiescent f;. We prove 


that e’ Co f’. Axiom Icg is then sufficient to conclude. We show in particular that, for 


each summand a.e” of e’, e’ Ca f,. Axiom Ee; and substitutivity are then sufficient to 


conclude. If Aj|g? = ¢ then fi = Q and axiom M is sufficient to conclude; if otherwise, 
then f, = Ligt#e g;. Ifa.e" is asummand of e then the conclusion follows from hypothesis; 


if otherwise then the conclusion follows from hypothesis again after observing that a € 


(\(wsi( f;))\ wsi(e). 


2. e€ is not quiescent 


In this case we prove that e’ Eg f’+ > 4e,a-f,. The method is exactly the same we 
used in the first case. For any summand a. e” of e’, in fact, there is a summand f. f’ of 
f'+daea ef). Additional summands a. f), of the right expression that do not have any 


correspondent summand in e’ can be added using axiom Ec;s. 


Completeness 


Let e Lg f. We show that conditions 1,2 and 3 are satisfied. 


1. Suppose e to be quiescent. By definition of quiescent trace, A is a quiescent trace of e, 
hence, by hypothesis, A is a quiescent trace of f. By Lemma 5.4.3, A is a quiescent trace 


of f; for some 7, hence, since f; does not enable any internal action, f; is quiescent. 


2. Suppose condition 2 to be false and let i be one of the indexes for which the condition is 


false. We distinguish the following cases: 


(a) a; is an output action 
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In this case the left side of condition 2 must be false. If Vj : g/" 


= e, then no external 


trace with a, as first action is an external trace for f, while a; is an external trace 


of e. This gives a contradiction, hence 4j : gj' # ¢. Since condition 2 is false, 


it must be e; Zag (Biz, g;'). Let t’ be an external (quiescent) trace of e; but 


not of Piz, gj’. Clearly t = a,t’ is an external (quiescent) trace of e. We show 


that ¢ is not an external (quiescent) trace of f obtaining a contradiction. Suppose 


f = f' where @’ is an external (quiescent) trace of f’. From the transition rules, 


Aj,k: f' = fy, and a;, = a;. By definition, f;, is a summand of g;", hence ¢’ is an 


external (quiescent) trace of B) «iz, gj’. This gives a contradiction. 


(b) a; is an input action 


Since the right part of condition 2 must be false, then Vj : gj‘ # . It is then enough 


to repeat the argument of the previous case to conclude. 


3. Suppose condition 3 to be false. Then Ja € (\(wsi( f;))\ wsi(e) + Q 


Ze (&, 97). Let t’ be 


an external (quiescent) trace of Q but not of b); g#, and consider t = at’. Clearly, since 


from the transition rules and Lemma 5.4.2 e —+ , ¢ is an external (quiescent) trace of 


e. By using the same argument as in case (b) of the proof for condition 2 we obtain that 


tis an external (quiescent) trace of b), g?. This gives a contradiction. 


The following definition is fundamental for setting up the opportune inductive proofs. 


Definition 5.4.5 (complexities) The atomic complexity A of an atomic expression e is the 


number of ntl subexpressions appearing in e. 


The prefix complexity P of an expression e in prefix normal form is defined as 


0 if e is atomic 
Ple)= 4 14+ P(e) if € 
max(P(e1),P(es)) ife =e, + & 


a.e, for some action a 


The complexity C of an expression e in internal prefix form is the maximum prefix complexity 


of its summands. 
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We first prove the completeness result for atomic expressions. 


Lemma 5.4.6 Let e be an atomic expression. If e —> f for some external action a where 


e # f, then there is an atomic expression f' such that A(f) < A(e) andl f =a f'. 


Proof. From the transition rules a process 2 only has self loops for external actions. If e # f, 
then the only processes that can have changed are nil. A process nil can either have a self loop 
or a transition to 2. This implies that at least one of the nil subterms of e has became 2 in 
f. From axiom P all Q subexpressions of f can be collapsed into a single 2 expression. The 


resulting expression (f’) is atomic and is such that A(f) < A(e). = 


Lemma 5.4.7 


e,B-++Ben Ca f uf Visicne: Ea f. 
Proof. Direct consequence of Lemma 5.4.3. | 


Lemma 5.4.8 (completeness for atomic expressions) Let e, f be internal sums of atomic 


expressions. Ife La f thent e Cg f. 


Proof. From Lemma 5.4.7 and axiom Ics it is sufficient to analyze the case in which e is 
atomic. We show the result by induction on the sum n of the atomic complexities of e and the 


summands of f. Ifn = 0 then e = 2 and each summand of f is Q. By axiom Ie3, F f =g 2, 


hence, by reflexivity and transitivity of Eg, e Ca f. Let n > 0. Since e Cg f, by Lemma 
5.3.2 the premises of axiom Cp, are satisfied. For each action a condition 1 and 2 are easily 
checkable. Suppose conditions 1 and 2 to be false. Then condition 3 is true. By Lemma 5.4.6 
and the non validity of condition 1, the sum of the atomic complexities of the expressions to 
compare on condition 3 is less than n. It is then enough to apply the induction hypothesis and 
use axiom Cp, to conclude. | 


We can now prove the completeness result for expressions in prefix normal form. 


Proposition 5.4.9 (completeness for expressions in internal prefix form) Lete and f 


be expressions in internal prefiz form. Ife Co f thenteLg f. 
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Proof. From Lemma 5.4.7 and axiom Ics it is sufficient to analyze the case in which e is in 
prefix normal form. We show the result by induction on the maximum complexity n of e and f. 
If n = 0 then e and the summands of f are atomic expressions and the result is given by Lemma 
5.4.8. If n > 0 then, by using axiom E,, there are two expressions e’, f’ such that | e =g e’, 
+ f =9 f’, the maximum complexity of e’ and f’ is n, and no summands of e’ and f’ are atomic 
expressions. We can again assume e’ to be in prefix normal form. By applying axiom Cp2 to 
e’ and f’ we have that, for each condition involving the comparison of some expressions, one 
level of prefixing is eliminated, hence the complexity of the expressions to prove in relation is 
less than n. By applying the induction hypothesis and successively axiom Cpe, the proof is 
concluded. | 

To prove that every recursion-free expression has a provably equivalent one in internal prefix 
form we show that the class of expressions in internal prefix form is closed under all the operators 


of DIOA. 


Lemma 5.4.10 (closure under internal choice) The internal prefix form is closed under 


internal choice. 


Proof. Immediate from the definition of internal prefix form and the associativity of the 


internal choice operator. | 


Lemma 5.4.11 (closure under prefixing) Let e be an expression in internal prefix form. 


Then there is an expression g in internal prefix form such that a.e =g g. 
Proof. Direct consequence of the distributivity of a. over G (axiom Ic,). a 


Lemma 5.4.12 (closure under external choice) Let e, f be expressions in internal prefix 


form. Then there is an expression g in internal prefix form such that - e;+s f =a g- 


Proof. By repeatedly using axiom Ic; (distributivity of ;+, over 6) the problem is reduced to 
the case in which e and f are in prefix normal form. If e or f are atomic expressions, then we 
use axiom E, to transform them into non atomic expressions e’, f’ in prefix normal form. By 


means of axiom Ec,, the operator ;+, is replaced by «+x where K = wsi(e’)N wsi(f’). By 


repeatedly applying axiom Ecj, (and axiom Ec.) we obtain F e’ «+x f! =o e" K+xK f” where 


one of the following conditions hold: 
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1. wsi(e”) = wsi( f") = 
In this case we already have our expression gq. 

2. wsi(e”) = K, f"’ =a. f’”, ais an input action and a g K 
In this case axiom Ec,; is sufficient to conclude. 

3. wsi( f”) = K, ee’ =a.e”, ais an input action anda ¢ 
In this case axioms Ec. 5 are sufficient to conclude. 


4, e”=a.e", ff =b. f”, a,b are input actions and a,b ¢ K 


In this case K = Q, hence we use axioms Ec2 15 1 to show the following: 


e” goto f’ =Q (e" goto nil) ato f’ =Q (nil g bg e"') 9 bg f’ =Q nil g by f’ =Q nil, 


The assertion on the complexity is then trivial. 


This concludes the proof. | 


Lemma 5.4.13 (closure under hiding) Lete be an expression in internal prefix form. Then 


there is an expression g in internal prefix form such that + Tr(e) Sq g. 


Proof. By repeatedly using axiom Ic, (distributivity of tT; over @) the problem is reduced to 
the case in which e is in prefix normal form. The proof is by induction on the prefix complexity 
of e. If e is atomic then, by repeatedly using axiom I,4 and the substitutivity property, we 
obtain an expression e’ such that F t;(e) =g Ty(e’) and 7;(e’) satisfies the conditions for axiom 
I,s. The application of axiom I,; yields the desired expression g. Notice that the complexity 
of g is 0. Suppose now the prefix complexity of e to be n > 0, i.e. e = (D0, 4; .e;) where the 


prefix complexity of each e; is less than n. We distinguish the following cases: 


By using axioms Iz, we have F 7;(®), a; .e;) =qg (y a; . Tr(e;)). By induction each 
T(e;) has a provably equivalent expression g; in internal prefix form. By Lemma 5.4.11 
each a; .g; has a provably equivalent expression g; in internal prefix form. The desired 


expression g is then (»), g;). The condition on the complexity is trivially satisfied. 
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2.e=e'+a, .€, where e’ is quiescent and a, € I 


From axiom I,3, F tT;(e€) =gQ Tr(e! wsi(e’)+wsifet) €n). From case 1, F t;(e') = e” for 
some e” in internal prefix form. By induction - t;(e,) =a e}, for some e’, in internal 
prefix form. By using axiom E, we can force e” and e}, not to have atomic summands. 
From axioms I,53 4 and Ie; there are two expressions e’” and e/, differing only in the 
signatures of the operators, such that + e” =g T;(e’”) and F e}, =a T7(e//). In particular 
e” and e” do not enable actions from J. From axioms Ip 4 F T;(e’ wsi(e') t wsile’) €n) =a 
T(E wei’) + weiter) ny) =Q Tre”) weiter) twsi(er) TEN) =Q e” weiter twsi(et) €- The closure 


under external choice is then sufficient to conclude. 


3. €=a,.e, where a, El 


By induction F t;(e€1) =g e{ for some e{ in internal prefix form. By using axiom E, we 
can force e/, not to have atomic summands. Moreover, from the internal choice axioms, 
we can assume without loss of generality that e/ is in prefix normal form. From axioms 
I,53,4 and Ic; there is an expressions e/, differing only in the signatures of the operators, 
such that F e| =g 7;(e/). In particular e/ does not enable actions from J. From axiom 
Is, F (a1. €1) SQ Tr(a; . e/). From axiom Ee,;, F a, .e/ =g ntl+a,.e/. From axiom 
Ths, F 7y(nil + a, .eY) = T(nilg+y ef). By using axiom Ecj¢ all input prefixed summands 
of e{ can be eliminated obtaining + 7;(nil 9+  e/) Sq T(nil g+9 ef’) where wsi(e{’) = 0. 
From axiom Ec; + t;(nil 9+ ef’) =q Tr(ey’). The application of axioms I,534 is then 


sufficient to conclude. 


4, e=e'’+a,.e, where e’ is not quiescent and a, € I 


From axioms Ij, and Ices, F t(e) =o Tr(e’ B en) =Q Tr(e’) B Tr(€n). The expression 
T(€,) can be reduced by induction. For the expression 7;(e’) we observe that e’ has 
one summand less than e. We then repeatedly apply case 4 to 7;(e’) and to its derived 
expressions until case 4 does not apply (and we know that case 4 will not apply at a 
certain point since at least two summands are needed). When case 4 does not apply, we 


use the applicable case between 1,2 and 3 and the proof is concluded. 
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Lemma 5.4.14 (closure under renaming) Let e be an expression in internal prefix form. 


Then there is an expression f in internal prefix form such that + p(e) Sg f. 


Proof. Since the renaming operator is distributive over all other DIOA operators, it can be 
pushed down to the lowest level and then be completely eliminated from any DIOA expression. 


Lemma 5.4.15 (closure under parallel composition) Let e, f be expressions in internal 
prefix form with a finite interface. Then there is an expression g in internal prefix form such 


that | el|f =o g. 


Proof. By repeatedly using axiom Ic; (distributivity of || over @) the problem is reduced to 
the case in which e and f are in prefix normal form. We proceed by induction on the prefix 
complexities of e and f. If both e and f are atomic then the result is immediate. Suppose now 
the maximum complexity of e and f to be n > 0. If e or f are atomic expressions, then we use 
axiom E, to transform them into expressions e’, f’ in internal prefix form that have no atomic 
summands without affecting the maximum complexity of e and f. After reducing again the 
problem to the case in which all expressions are in prefix normal form, we apply the expansion 
axiom E, obtaining a new equivalent expression e’ = >7,., a; . fj; where each f; = FG and 
the maximum complexity of f} and fF is less than n. It is then enough to apply the induction 


hypothesis and use axioms Ic, 5 to conclude. | 


Lemma 5.4.16 (reduction to internal prefix form) Let e be a recursion-free DIOA ex- 
pression with a finite interface. Then there is an expression g in internal prefix form such that 


Fe =Q g. 


Proof. The proof proceeds by structural induction of the given expression e. The basic cases 
nil and Q are trivial since they are atomic expressions. For all other operators we first reduce 
their arguments using the induction hypothesis, then we eliminate the new operator by means 


of the closure lemmas 5.4.10, 5.4.11, 5.4.12, 5.4.13, 5.4.14 and 5.4.15. | 


We can finally prove the main theorem. 


Theorem 5.4.17 (completeness) Let e, f be recursion-free DIOA expressions with a finite 


interface. Ife Lg f then At eLg f where A is the set of all axioms presented in this thesis. 


17 


Proof. By means of Lemma 5.4.16 the problem is reduced to the case in which e and f are in 


internal prefix form. The completeness result is then stated by Proposition 5.4.9. | 
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Chapter 6 


Example Specifications and 


Verifications 


In this chapter we show some example specifications and verifications within DIOA. We specify 
a simple circuit that is reported in [Jos92] and a more complicated one that is reported in 
[BV88]. The examples are preceded by a discussion about the use of the quiescent preorder as 


an implementation relation. 


6.1 Quiescent preorder as an implementation relation 


The intuitive idea of implementation at the base of the semantics of I/O automata is that 
an implementation must respond to a sequence of external stimuli with some output actions 
whenever the specification must too. The way in which the above idea is captured is by means 
of fair trace inclusion. 

Can the quiescent preorder be used for capturing the same idea of implementation? In this 
section we just want to give an informal understanding of this question without pretending to 
be formal. With this discussion we want to point out some of the problems of chosing a relation 
as an implementation relation. 


The answer to the given question is “no” in general. The absence of the notion of fairness, 
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in fact, causes several problems. Consider for example 


ef 


A® Tr(a. X) 


and 
def 


B=a.b.nil 


where X © i, X,a is an input action and 6 is an output action. It is immediate to verify 


that A Cg B, but we do not want to consider A to be an implementation of B since A refuses 
to perform action 6 after receiving the input a while B must perform the output action 6. 
The problem is essentially in the internal looping of A since we cannot observe it by means of 
external and quiescent traces. In I/O automata the distinction between A and B is given by 
fair traces: in fact a is a fair trace of A but not a fair trace of B according to the I/O automata 


semantics. Also in receptive process theory [Jos92] the problem is solved since a is a divergence 


of A but not a divergence of B. The use of divergences, however, leads to AZ B+a.nil while 


the quiescent and fair preorders lead to AC B+a.nil. We would like to consider ALC B+a.nil 
since, although the implementation A refuses to perform action b after a, the specification may 
too. 

In order to use the quiescent preorder we have to be sure that situations like the one 
presented above do not arise, i.e., we can deal only with processes that, whenever they present 
an internal divergence, they can reach a quiescent state with a finite number of internal moves. 
This is the only way the quiescent preorder has to detect a possibility of refusing the performance 
of output actions due to an internal divergence. In the restricted case above the notion of 
implementation is represented by the quiescent trace preorder as follows: the condition on the 
quiescent traces makes sure that, after some stimuli, some output actions will eventually be 
enabled; the condition on the external traces makes sure that only the desired output actions 
will be enabled. 


The notion above, however, presents some subtle properties. Consider for example 


A=a.b.nil 
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and 


B=a.b.nilta.nil 


where a is an input action and 6 is an output action. We do not want to consider B as an 
implementation of A, and the quiescent trace preorder detects the deadlock problem since a is 


a quiescent trace of B but not a quiescent trace of A. Consider now 


where c is an output action. The result is that 


Why does the above result hold? The idea is that, from the point of view of the output 
actions, the quiescent preorder makes no distinction between the actions of C and those of A. 
In particular, an output action (c) is always enabled. With the use of the fair preorder the 
output actions of C are separated from those of A since they constitute two separate classes in 
the partition of the locally controlled actions of C'||A. In the quiescent preorder the partition is 
constituted by a single class. Notice that the example above is valid also for Receptive Process 
Theory since C’ is divergent and the parallel composition of a divergent process with any other 
process is the divergent process. In other words RPT and the quiescent preorder do not deal 
with the parallel structure of a system while the fair preorder does. 

A new question now arises: Does the quiescent preorder imply the fair preorder in the 
restricted conditions described above? The answer is “no”. Let X¥ “2 a.X +b.X41.a.B8, 


Be a.B+0.B,P a. P'+b.P’ and P! © a.P’ where a is an input action and 0,7 are output 


actions. Then P Cg T4;}(X) but P Zp 714;}(X) since a is a fair trace of P but not a fair trace 
of T43(X). With this example we can also give an example of an intuitive property that is 
not detected by the quiescent preorder: if the output action 6 is blocked after n occurrences of 
action a, then a is not blocked after n+1 occurrences of a. The same problem holds also within 
Receptive Process Theory and within the fair preorder relation. For Receptive Process Theory 


it is enough to use the same example as above; for the fair preorder it is enough to change the 


81 


definition of B to B““ a.X + 6.B to have the same problem as above with P Cp 71;}(X). 


The last example presented above is the consequence of a problem that seems general within 
the field of specification and verification, e.g., the understanding of the actual properties that 
can be detected by a particular notion of implementation. This topic could be the subject of 


further research. 


6.2 A simple circuit 


In this section we use DIOA and the quiescent preorder to specify and verify a simple circuit 
that is reported in [Jos92]. We start by specifying some simple devices. 

A majority element is a device having three input ports and an output one. The voltage 
level of the output port is that of the majority of the inputs. Every action in the specification 
represents a change of voltage level in the correspondent port. The process variable M represents 
the majority element when the voltage levels of its input ports are the same as the voltage level 
of its output port. The process variables containing subscripts represent the majority element 
when only the voltage levels of the input ports not appearing as subscripts are the same as 
the voltage level of the output port. Note that the equation for M,, specifies that no inputs 
causing a variation in the output voltage level can occur when the output voltage level already 
has to change. If such inputs occur then the system moves to an unspecified state. Real 
implementations might actually present glitches on their output ports when such abnormal 


input sequences occur. 


Specification 6.2.1 (majority element) A majority element is specified by the following 


equations 
M © «a.M,+6.M,+c.M. 
M, = a.M+6.Myte.Ma 
My = m.M.e+c. Mare 
Mae = m.M+a.Mye+b. Mae te. Mar 


where a,b,c are input actions and m is an output action. The equations for M,,M,., M,,. and 


M;. are similar to the equations above and can be easily derived. 
A wire is simply a device that waits for a change of level in its input port and communicates 
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the change of level through its output port. Input and output actions must be interleaved. 
If two consecutive inputs are not interleaved with an output then the system moves to the 


unspecified state. 
Specification 6.2.2 (wire) A wire is specified by the following equation: 


def 


W=m.c.W 


where m is an input action and c is an output action. 


A Muller element has two inputs and a single output. It waits for a change of level of 
both its input ports before changing the level of its output port. The subscripts in the process 
variables represent the input ports that have changed voltage level. When both the inputs have 


changed (state C,,) the output voltage level is changed. 


Specification 6.2.3 (Muller element) A Muller element is specified as follows: 


C © 4.6,4+6.6, 


C, = a.C+b.Cyy 
C, © a.Cyt+b.c 
Cab det c.C 


where a,0 are input actions and c is an output action. 


To give a simple example we formally prove that a Muller element can be implemented 


using a majority element and a wire. 


Proposition 6.2.4 A Muller element C can be implemented using a majority element and a 


wire, 1.€., Timy(M||W) Ca C. 


Proof. We show that T),.;(M||W) Ca C. For doing that we consider a family of processes 


Ty La,ty,fq, where [ det Ttm}(M||W) and show that they satisfy the equations of C with Cg. It 


is then enough to use the recursive substitutivity axiom to conclude. 
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By applying the expansion axiom and the hiding axioms we obtain 


IT =Q Timjy(M||W) by expanding the process variables 
=g Tim((a.M,+b.M,+e.M,)||(m.c.W)) by axiom E, 
=gq Tim(a.(M,||(m.c.W))+6.(Mi||\(m.e.W))) by substituting W for B(W) 
=q Tim(a.(M,||W)+5.(M||W)) by axiom I, 
= 9 Tm. (MallP)) + ray (b- MBI) by axiom I, 
=g @.Timy(Ma||W) +0. ynjy (MW) by definition of I, and J, 
=g a.1,+b.l, 


where we define 


Ta = romny(MallW) 
I, = r4mj(Mal|W) 
With the same method we have 
Ty =@ Ttmj(Mal|W) =e @- Thmy(M||W) +b. Ton (Masl|W) =o a. 0+ b. Tas 
and 
Ty SQ Thmy(Mi||W) SQ @- T{my(Mas||W) +. Tmy(M||W) SQ a. tay +061 


where we define 


def 
Tay = Tem}(Mavl|W) 
We now proceed with the analysis of J,,. Step by step comments are below. 


Lav =Q T{my(Mas||W) 

=9 Tmj(a. (QW) + 6. (QW) +m. (Mlle. W)) 

Eg Timy(m.(M,|le.W)) 
( 
( 


=g Timj(m.(a.(Ma-|le~W)+5.(M,.\|e.W) +6. (M||W))) 


Ce T{mj(m.c.(M||W)) 
= €-Timj(M||W) 


=ge.l 
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The first step follows the lines of the previous derivations by expanding process variables, 
applying the expansion theorem, and reconverting untouched expanded expressions to their 
correspondent process variable; the second step is an application of axiom Ec; where inputs 
a and 6 are eliminated. According to the specification of Ca,, in fact, no input should occur 
before output c occurs. The expression on the second line specifies an implementation choice 
in the presence of inputs a and 6 while the expression on the third line does not specify any 
implementation choice. The third step is similar to the first one while the fourth step consists 
of successive applications of the hiding axioms. Action m is eliminated through axiom I,; and 
action c is brought outside the scope of the hiding operator through axiom Is. The last step is 
a direct consequence of the definition of J. 


We can now apply the recursive substitutivity axiom and conclude. | 


6.3. Handshaking protocol 


In this section we use DIOA to specify and verify a circuit realizing the handshaking protocol. 
The circuit is derived from Kaldewaij [Kal87] and was already specified and verified by means 
of ACP by Baeten and Vaandrager [BV88]. The main problem encountered in [BV88] is the 
absence of a distinction between input and output actions in a process. They had to introduce 
an operator 6 to describe the “no output blocking” property of I/O automata and another 
operator V to limit the traces of a process. In DIOA the “no output blocking” property is 
eranted by the calculus itself, moreover we do not have to restrict the set of traces to consider 
because the result of giving unespected input actions moves the system to the state Q from 
which every trace is admitted. In this way 2 represents the unspecified process, i.e., if the 
specification of a device moves to 2 for a particular action, then the implementation is correct 
for whatever behavior it exhibits after performing the same action. 

We now give the specifications of some electronic components. A digital component is 
characterized by a set of input ports and a set of output ports. Each port accepts (or generates) 
two different signals: HI or LOW. In the rest of this section we will use actions to represent 
a change of voltage level (from HI to LOW or vice versa) in the signals. In this way, instead 
of having a pair of actions for each port (a {,a |) as in [BV88], we have a single action a 


corresponding to a change of voltage level. We start by specifying an AND port. 
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Specification 6.3.1 (AND port) The following set of equations specify an AND port. 


AY: S vu. Any: TY. AQye 
tye we, AM: +y.2. Any: 
tye = uv. . Any: T y . rye 
AL Saiz. AM ty. Al, 


where x,y are input ports and z is an output port. The initial state of the port is Ag: 


corresponding to both inputs to the low level. 


The specification above contains four process variables, each one corresponding to a par- 
ticular state of the inputs. At each step the port is able to accept an input and consequently 
change its state. When the output level has to change it is not permitted sending other input 
until the output level is changed. An input action sent while the system is changing its output 
state will move the system to an unspecified state. The next specification introduces an AND 


port with a negated input. The line under « specifies that port x is negated. 


Specification 6.3.2 (AND port with a negated input) The following equations specify 
an AND port with a negated input. 


oo «def 10 Ol 

vyz — ©: Agy: TY: Avy: 

10. def 00 11 
Ayy, = ©. Ay, +y-%-Agy, 

o1 def 1 00 
Ayy, = €.2.Agy, +Y- Any: 

11 def 0 10 
Ayy, = U.2.Ayy, HY. 2. Agy, 


where x,y are input actions and z is an output action. The initial state of the port is An 


corresponding to both inputs to the low level. 


The AND port with a negated input is identical to the AND port with the difference that the 
output signal changes in different points (in the above specification the initial state is different 
from the initial state of specification 6.3.1). Note that, by opportunely renaming the process 
variables, we can obtain the specification of the AND port. Another interesting observation is 
that, after giving the specification of an inverter (a component giving as output the opposite of 


its input), the AND port with a negated input can not be implemented using a normal AND 
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x x 


Figure 6-1: Symbolic representation of AND ports 


port with an inverter. In fact its correctness strictly depends on time assumptions about the 
occurrences of new inputs and the speed of the components. The two kinds of AND ports 
we have just introduced are represented in figure 6-1. We proceed by specifying a Muller C 
element. The specification below is similar to the one given in the previous section: it gives more 
restrictions to the occurrences of input actions. A Muller C element is essentially a component 
that waits for the change of both its input levels and then changes its output. Every input port 


can not be changed more then once between one change in the output and the successive one. 
Specification 6.3.3 (Muller C element) The following equations specify a Muller element. 


Co Sa .y.2.C3 Pipetite, 


0 
Yt .22 Cs 


where x,y are input actions and z is an output action. The initial state of the process is Co 


corresponding to all the interfaces to the low level. 


The following specification introduces a Muller C element with a negated input. It is 
immediate to observe that the only difference from the normal Muller element is in the initial 
state. This is because we use actions to represent only changes of level and not the kind of 


variation itself. 


Specification 6.3.4 (Muller element with a negated input) The following equations spec- 


ify a Muller element with a negated input. 


go def 1 1 
ye = Ye RC yy PY ee Cy, 
1 def 0 0 
he = BY ih Crys FY Oe Cy, 
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Figure 6-2: Symbolic representation of Muller elements 


where x,y are input actions and z is an output action. The initial state of the process is 


Uses os corresponding to all the interfaces to the low level. 


z 


Figure 6-2 represents the two kinds of Muller elements introduced above. 

We are now ready to specify the handshaking bit protocol. This protocol is often used to 
avoid interference between circuits. The circuit has two input wires a,b and two output wires 
a,b. It has to follow the four-phase handshaking protocol for the pairs a,@ and b,b where a, a 
is the input side. This means that on the input side an external process will change the level 
of a and wait for a change of @ and then repeat the same process; on the other side the output 
process waits for a change in action b and changes the level of b. It then repeats this pair of 
actions. No other kinds of interactions are admitted for the protocol. For example changing 
the level of a twice without waiting for the change of a@ will move the system to an unspecified 


state. 


Specification 6.3.5 (handshaking protocol) The following equations specify the handshak- 


ing protocol. 


def 


S=a.sS* 

OS Getta. 

be = 6.52 +4.6.6.6.0.5" 
StS b.St4+a.b.b.6.8" 
Seb. St+a.b.b.S* 

Se So. S+a.6.5" 
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Figure 6-3: Implementation of the handshaking protocol 


where a,b are input actions and a,b are output actions. The initial state is 9. 


We now propose an implementation in which we assume instantaneous communication be- 
tween the components. This is a simplification of the implementation given in [BV88]. The 
implementation is the following process M. 


MS ry.ay(a-d. Chaall Asgall@ -¢« Chacll Anse) 


bac 


In the following we will let H = {c,d}. It is immediate to verify that M can not diverge 
since every component having the control of an internal action must perform an external action 
before completing a cycle. Figure 6-3 represents process M. We proceed by giving the proof of 


correctness. 


Proposition 6.3.6 (correctness of /) The implementation of the buffer is correct. In other 


words M Lg S. 


Proof. To prove the correctness of the implementation we find a set of expressions 


M ={M, M*, M?, M3, M3, M7} 


that satisfies M Cog E(5)[M/S]. In this way we can apply the recursive substitutivity axiom 
to conclude. To prove the equations we continuously perform steps by means of the expansion 


axiom and then eliminate (if possible) undesired actions. We start by considering process M. 
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M =Q TH(a .(d. Cl 


cad 


Agiall@.¢ + Cha 


bac 


|Ags) + 
Le TH(a . (d . Coad Agial|@.€ -Chacll Agen) 
=a a.TH(d. Coal Agaallé - c. ChacllAgen) 


+6 ° (a ° d ° Craall Apaal|Ql|Ages)) 


=Q a. Ta(d . (Coaall@ - Agaall@- c. ChacllAges) + a. (QUAgialla- c. ChacllAges)+ 
b.(d. Ceqal| Adaall2I|Az2s)) 
Le a. Ta(d . (Coaall@ - Agaalla - c. Cihacll Ages) 


In the first step we have applied the expansion axiom together with the substitutivity 
axiom for the hiding operator. To obtain the expression above we implicitly assume that the 
application of the expansion axiom proceeds as follows: unfold process variables that are not 
prefixed, apply the expansion axiom, fold unchanged unfolded expressions. Since we are not 
interested in the effects of action b (the equation for S does not consider action b) we use axiom 
Ec; in the second step to eliminate the summand prefixed by b. In the third step we use axiom 
I, to move the prefix a outside the hiding operator. We then apply the expansion axiom again 
and eliminate the undesired input actions with axiom Ec; in the following two steps. Note that 
we choose the input actions to eliminate by looking at the specification 6.3.5. It is clear, in 
fact, that at this stage we do not have to wait for any input action until action @ is performed. 
If an input action occurs before action a is performed then any behavior is admissible. 

In the last step we have an internal action d. In order to eliminate this action we have to 
substitute its prefixed expression with an expression for which axiom J,, is appliable. For this 


reason let 


M'= S Conall « Apaall@- c. Ciaell Ages 


acb 


By using the expansion axiom for the first step and axiom Ec; to eliminate undesired inputs 


we have 


8 


MW’ =Q a - ( Coaall Abaalle - ChacllAges) + O- ( Creal Q|Q|| Agen) + 
a. (c. d. Coaalla- Ajaalla - c. ChacllAgen) 
L (CE cad |Agaalle - Ch || A 


eb) 


I 
© 
a 


bac 


By substituting this last expression in the last expression obtained from M we have 


M Lg a.Ty(d.a. ( Claall Aidall€ - Chacll Agen) 
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=Q a.TH(a. ( Caall Abaalle - Chacll Ages) 


where the last expression is obtained by means of axiom I,,. Note in fact that wsi(@. 


(Coral Asaalle - Chacll Ages) = 0). Let 


def 


M* = = TH (a - ( Conall Asaalle - Cracll Ages) 


We have just shown that 
M Lg a. M* 


We now proceed on the analysis of M*. Since we often have to eliminate undesired input 
actions we use the convention of not writing expressions that have to be eliminated in subsequent 


steps. This convention is immediately clear from the following steps. 


* =Q a.TH (C tall Agdall€ - ChacllAgen) 
=q @.7H(a.(€.d. CoaallAgaalle - Covell Ages) +. (.--)+ 


° 


(a. d. Ceaal|Abaall Chacll Agen) 
Le a. Ta(a -(c. d. Ceaall Abaalle - ChacllAges) + c. (a. d. Craall Anaal|Ciaell Ages) 


In the previous steps we again used the expansion axiom together with axiom Ec7. At this 
point we can not proceed without solving the most internal expressions because there is an 


internal action as prefix. We then simplify the internal expressions as follows: 


Cc. d. Coaall Agdalle + CracllAges 
=a €-(d. C2qal|AnaallCoacl| Ages) + @-(---) +. (.--) 


Le Cc. (d. Call Apaall Chacll Agen) 


a. d. Craall Apgal|Ciacll Ages 


=Q a. (d. Ceaall Avaall Ciaell Agen) + +6. (...) 
Le a. (d. Craall Abaall Chacll Ages) 


where we have again used the expansion axiom and axiom Ec7. By combining the last two 


inequalities with the last expression obtained for M/* we have 
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M* Cg 4a. Ta(a.(c.d. Ceaall Abaalle - Cy || Agen) + c.(a.d. Craall AnaallCiaell Ages) 


Le @.TH(a.€.(d. Coal] AbaallCtacll Ages) + ¢-@- (d. Ce | ApaallCoacll Ages) 


cad 


bac 


We now have to apply axiom Ij¢, but we first have to simplify the internal expression in order 


to satisfy the condition for axiom Ij. 


d. Cad | ApaallCracll Ages 
=Q d. ( Ceaalla - Asaall ChacllAges) + a.(...)+6.(...) 


Le d. ( Ceaalla - Asaall Chacll Ages) 


By substituting in the last expression for M* 


M* Cg @.tH(a.c.d.(Chall@. Antal CracllAgis) te. a-d. (Corall@ - Agaall Chacll Agen) 
=q @.tH(a.d.(Chall@- ApgallChacll Ages) 
=o 4.0.7 H(d.(Col|4- Ap vallChacll Ags) 
=o G@.a.tH(d. (4. (Chall AbdallO-¢- CPacllo. Als) ta. (...) $8.6...) 
Ce d.a.tH(d.d.(Coial|Abialld .¢. Chrellb - Al) 
Hq 4.4. 7H (4. (CoallAniallo. ©. Chacllo- Ants) 
=o @.a.0. 7H (Coal AbdallO- ¢- Chnelld- Adis) 


In the first step we used axiom Ig. The rest of the steps are obtained by using the expansion 
axiom together with axiom Ec, (an the substitutivity rules of course). The last but one step is 


obtained using axiom I,,. We can now define the new process 


def 
M; = TH( Conall Asaall® - c. 


[|2. Aus) 


Cine 


What we have just shown is 


The following simplifications are new only for the third step. In this case we use axiom I, 


followed by axiom I;. 


My =Q TH(b -( Ccad\| Abaallé - c. ChaellAges) + 6. (+ 
a.(c. Cead\| Abaallé - c. Chielld - Avs) 


92 


Le TH(b. ( Ccaal| Abaallé - c. Ch, 
Agialld.¢. Cy 


\|Agin) + a.(e. Coral AgaallO- Cc. Chrelld - Aus) 
AM) +a. TH(e.d. Chall AallO -¢- CoagllB- AL's) 


bac acd 


bac 


cad bae| 


lI 
© 
ol 

~ 
a 


=¢ b.TH(Conal|Abgal|d «© - Chaell Alls) + 

a.ti(B.(¢.d. Ch al|AM||b.€ C2, ABS) +a. (...) #b. (2) 
Co b. TH(C2allAfgallb-¢- Cheol AU;) + 0. t(D. (e.d. Chall ARS ||b -€- Cfeell AL's) 
Ho br (C2allABa |B -€. CRpel|AL) +.B. tle. d. Chall Ab |B. €- CRyel|ALs) 


We now define two new processes: 
def 
M; = TH( Craall Asda - c. Cyaell Ages) 


M,& _ 'TH(C. d. Conall Asaallé - c. Craell Agen) 


What we have just shown is 


Ms Cab. M3 +a.b.M, 
We start by analyzing M,. 


My =Q Tila. (-. J+. (6.4. Coral Asaalle - Corel Aaa) 

Eg TH(b. (6.4. Coall Apaall - Cracll Ages) 

Ho b.tylo-d Chall Alle - Cell A8) 

Hy bo tyle.(d. Chal] Adal Coll. A 
a.(...)+b.(...)) 

Cg b.tH(e.(d.Ch 


cad 


hae aes) + 


Agia Chrelld - Ava) 


The steps above are again the application of the expansion axiom and axioms Ec, and Is. 
However it is not possible for the moment to eliminate the internal prefix c because we first 
have to simplify its prefixed expression. We then define 


Mo ac Tu(d. Cc! 


cad ll ApaallCs [|2. Aus) 


bac 


simplify Ms, and then substitute the result in the last expression for M4, by means of axiom 


I... 
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Mz =a TH(d.(Chagll Atal ChrellB AM, +a. (2. + 
b.(d. Chall AtiallCoaell Aiea) + 8 - (---)) 
Eg tH(d. (CorallApdall Coal]. Ales + 8 - (d- Coal AtaallCPacll Anes) 
= TH(d.(b. (Chall AdaallCfacll Ages) + @-(--) +8. (..))+ 
b.(d. (Chall AbaallCoacll Ages) + @-(..-) +8. (d. Chall Atdall@.¢- CiacllA2s))) 
Cg tH(d.b. (Chall AbdallCoaell Ages) + 
b.(d. (Chall AdaallCoaell Ages) + 8. (a. Chall Atdall@-¢- Ciaell Ages ))) 


The steps above are again standard. Note however that in the third step we have to accept the 
input action 6 in the expression prefixed by b. This follows from the specification of ST. We 
will show later that failing to accept action } will generate an error. To proceed we first have 


to simplify the internal expressions. 


Crnall Apaall Coacll Ages 
=Q a.(...) +6. ( Claall - Ajiall@ - Cc. ChacllAges) 
Lg b. (C call « Ajaalla - Cc. ChacllAgen) 


d. Ce | Asaall@.¢. Chacll Age 


cad ach 
Hq d.(Crgall@- Apaall@. ¢- Cracll Ags) + a-(--) + 9.6...) 
Eq d.(Crrall@- Apaall@. ¢- CiacllAgs) 


Craalla- Ajaalla - c. Chacll Ages 


=9 @. (Craal|Asdalle- Coacll Ages) + @-(---) +...) 
Le a. ( CoaallAbaalle - ChacllAgen) 


a | 


Let 


def 


Pa a. ( Conall Abaall€ - Ciacll Anes) 


By substituting the results above in the last expression for M, we have 


MyE =Q tala. b. ( Ceaall Abaall Chaell Ages) + 
b.(d.(Cegall AvaallCiacll Ages) + 8 - (4. Conall Anaall@ - €  CoacllAaes))) 
b.b.F +6.(d.b.F +b.d.F)) 


Lg Tu(d. 
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b.F) 


=Q wal. 


The third step is obtained using axiom I,, together with axioms Igy for the substitutions. This 
step would not have been possible without accepting the input action b mentioned above. The 


fourth step is the application of axiom I,. This gives two results: 


M,C =Q b. Ta(e -(d. Chiall AbiallCoaell® - Aus) 
Lg b. TH(€ .b.0 F) 
=o b.b.b. M* 


where the only interesting case is the second step for M, in which we used axiom Ig. The 


process M* comes from the fact that Ty(/’) = M*. The result of the argument above is 


M, Cg b.b. M* 


M, Cg b.b.b. M* 


In particular, by substituting in the last expression for M7, 


Mj Cg b. M3 +a.b.b.b.b.M* 


We can now analyze M3. The treatment is standard and the substitution of M, derives 


from syntactical equivalence. 


2 =Q TH(a (Cc. d. Claall Agaalld - Cc. CP |Agze) + b.( Ceaall Avaalle - Chae « Aus) 
Le a.TH(e.d.Crral|Apaallé - c. ChacllAges) + 6. TH(Ceaall Agaalle - Chaell Agen) 


=Q a. M, +6. TH(Ce |Agaalle - Chaell Ages) 


bac 


cad 


Let 
def 
M3 = TH ( Conall Apaall€ - Cyaell Ages) 
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We have just shown that 
M3 Cg b. M3 +a.b.b.b.M* 


M3=q Talc. (a.d.Ch,ql|AntallCiaclld- Agt,) + @-(¢-d. Chall Atialle - Chacll Aka) + 
=Q TH(c. (a. d. Coaa\| AbaallCoae b. Au) +4. (c dd. Coaa\lAbaall€ - Chaell Agen) 
=Q TH(C. (a. (d. Chall ApiallCoaell® - Aus) +8. (a. d. Craal| AbaallCoaell Ages) + 


“))+ 
a.(c. (d. Chall ApiallCoaell® - Aus) ta-(...)+6-(.-.))) 
(a. (d. Coaall Abaall Chrelld - Aus) +8. (a. d. Claall Adaall Chacll Ages) + 


a.(c. (d. Ceaa\| Abaall Chrelld - Avs) 
Le Ty(e.(a.b.b.F +b. (a. d. Coaall Adal Chaell Agen) + 


The steps above are standard. The problem is that we have to eliminate internal actions. In 
the steps below we first eliminate the internal action from the rightmost term a.c.b.b.F by 
means of axioms Igo941, then we apply axiom I,7 obtaining the third expression. The rest is 


simple application of axioms Is 4. 


MyCq ta(c.(a.b.b. FP +b.(a.d. Coaall Abaall Chaell Agen) + 
a.c.b.b.F) 
=Q tH(e.(a.b.b.F +6. (a. d. Coaall Adal Chaell Agen) + 


b.b.F +b. (a.d. Craall Apaal|Cracll Ages) 
Ob. b. F) +Ty(b. (a. d. Craa\| AvaallCoaell Ages) 
.b.M* +b. TH(a.d.Ch |AgaallCs, ||A 


cad bae ach) 


Let 


def 


M; = TH(a. d. Conall Apaall Cracll Agen) 


We have just shown that 
M3 Cg b.Mj+a.b.b.M* 
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£ SQ TH(@-(d. Coral|ApiallCoacll Ages) + 8+ (4d Coral Abdall@ - € - Ciaell Agee) 
= TH(a- (4. (Coaal| AbdallCoaell Ages) + @ «(+ -)+ 
b.(d. CogallAsaall@ -¢- Cracll Ages) + 6. M 
Eg Tula. (d.( Craa\| AvaallCiaell Ages) +2 - (d. Craall Anaall4@ - Cc. ChacllAgs)) + o.M 


The steps above are standard. We now simplify the left expression. 


TH(a.(d.( Craa\| AvaallCiaell Ages) +2 - (d. Craall Anaall4@ - Cc. ChacllAzes)) 
=a Tula. (d.(a.(...) +8. (Coaall@- Abdall@ -¢- Cizell Agen) + 

b.(d. (Ceaall@- Apaall@- € - Coacll Ages) +a-(--.) +8. (---)))) 
Eg tala. (d.b.(Ceqall@- Anaall@ - ¢ - Coaell Ages) + 


b.d. (Cz cad la. Ajiall@ - c. ChacllAges))) 
Le Ta(a.(d.b.a. (C call Agdall€ - CiacllAges)+ 
b.d.a. ( Caall Abaalle - Chacll Ages) 


=Q TH(a.b.a. ( Claall Agaall€ - Chacll Ages) 


=ga.b.M* 


The fourth step above is justified from the fact that CZ,4||@. Ajiall@-¢- Ciacll Agcy is M’ and 


cad bac Geb 


the inequality derived at the beginning of this proof. The successive step is the application of 
axiom Ij¢. 


By substituting in the last expression obtained for My we have 


Mj Cob. M +a.b. M* 


We can now apply the recursive substitutivity axiom obtaining our conclusion, i.e., M Ca S. 
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Chapter 7 


Conclusion 


We have presented a process algebra (DIOA) with the following features: explicit interfaces 
associated with each expression, clear distinction between locally and globally controlled actions, 
input enabling, and actions under the control of at most one process. DIOA is directly related to 
I/O automata of Lynch and Tuttle [LT87], which have been successfully used for the verification 
of algorithms in distributed environments. 

We have found a set of sound laws for the quiescent preorder over DIOA that are complete 
for recursion-free processes. 

We have investigated the possibilities of using the quiescent preorder as an implementation 
relation and we have provided an intuitive understanding of its use. As a side effect we have 
found an intuitive property that could be required of a system and is not detected by the 
quiescent and fair preorders. 

We have given two simple example specifications to show how axioms can be used to prove 
correctness of implementations. The use of axioms, as can be seen in the given examples, seems 
sometimes simpler than the method based on possibilities mappings, that is characteristic for 
I/O automata, in the sense that the specification itself helps the verifier in understanding the 
axioms that need to be applied. 

The above results, however, make clear that there are still many open problems. Some of the 
problems are understanding when algebraic reasoning is really simpler than the method based 
on possibilities mappings, whether it is possible to use algebraic reasoning on very complex 


systems, whether it is possible to integrate algebraic reasoning with simulation techniques in 
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order to simplify correctness proofs. For the last topic a useful fact is that most of the presented 
axioms are still valid if the underlying model deals with infinite traces or with fair traces. 

An advantage of the algebraic method we have presented is that it seems easy to be mecha- 
nized. A proposal of research could involve an understanding of how such a mechanized system 
could work. The tools could deal both with algebraic and mapping based methods and could 
be a sort of interactive environment where the user is helped in providing correctness proofs or 
discovering errors. 

A third open problem is finding general formalisms capturing the essence of I/O automata 
without being necessarily input enabled. Input enabling, in fact, is one of the most discussed 
features of the I/O automaton model since many reasonable concurrent tasks cannot be de- 
scribed at a sufficient abstract level using I/O automata. In this thesis we have investigated the 
implications of input enabling on the algebraic laws of a generic process algebra; the successive 
step is verifying how the notion of input enabling could be embedded into a generic process 
algebra without the input enabling condition. In doing so, we obtain a more expressive model 
having all the features of I/O automata when a process meets the input enabling condition. 
Moreover, we can understand the essence of the commonly used implementation relations by 
viewing them through the process algebraic framework and by comparing them with the rela- 
tions that are commonly used within process algebras. Some relations that seem very closed to 
the preorder relations of I/O automata and that deserve further investigation are the testing 
preorders of De Nicola and Hennessy [DH84, De 85a, Hen88]. 

Although the above topics are quite important, we believe that one of the most important 
topics is to give a strong foundation to the commonly used verification methods. For example, 
in Chapter 6 we have given an informal description of how and when the quiescent preorder 
could be thought as an implementation relation; in [LT87] Nancy Lynch and Mark Tuttle give 
an informal understanding of how the fair preorder can be used as an implementation relation; 
in Chapter 6 we have given an example of a property that could be required of a system and is 
not detected by the fair preorder. The questions are then straightforward: What do we require 
to an implementation relation? What are the properties we are interested in? What properties 
does a particular relation guarantee to be preserved? What is a property? Trying to give an 


answer to the questions above is definitely worth doing and should be one of the main topics 
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for a long term plan of further research. 
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Appendix A 


Tables 


Name 
quiescent 


omega 
prefixing 
ichoice 
echoice 


parallel 


hiding 


renaming 


process 


Op. 


nil 


Domain Range Restrictions 


X 5 
d S 
S S 
5.8 S 
5.8 S 
51,52 53 
S Ss 
S Ss 
d S 


a € ext(S') 


I,J € in(S) 

out(S,) 1 out(S2) = 0 

out(S3) = out($,) U out(S2) 

in(S'3) = (in($,) U in($2))\out( Ss) 
IC out(S), S$’ = (in(S), out($)\L) 


for each injective p : acts(S) — acts(S’) 


S' = (p(in(S)), p(out($))) 


Xs € Xs 


Table A.1: The signature of DIOA 
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nily —+ Qs 
Qs + Os 
a.ge—+e a.g@—+Q5 bE in(S)\{a} 
€1 Bs €9 — | €1 Bg €9 —> €9 


a4 Va € in(S) oo” Va € in(S) 


a a 
€; Bs €2 — e} €; Bs €2 — e& 
a , 
€, —e 
: Va € [VU out(S) 


Ss a , 
€, ¢+3 €g — €} 


oT Va € JU out(S) 


er, rth ey > e 
€; +3 €2 + Os Va € in(S)\(LU J) 


T ! 
€, — e€} 
rT t 

7 €2 €1 7 


T , 
€2 —> €5 


7 


J ©2 


a , 
e—e 


Tre) > TP le’) 


a , 
e—e 


ps(e) = ps(e’) 


a ! a ! 
€, 7 €; €2 —> €5 
a ! ! 
€1 sillso €2 ey sillso €4 
a ! 
€, —7 €, 


a € acts($,)\ext(S2) 


€15,||5. €2 =. es, |ls. €2 


aT a € acts($z)\ext($,) 


€1 5, ||s. €2 —> €1 5, || € 


Table A.2: The transition rules for DIOA 
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wsia p(nil) = 0 
wst 4 p(Q) = rf) 


usig pac) = fa} if a € in(e)\A 
AB 0 ifacout(e)UA 


wsi 4 p(€1 © €2) = wsi4 p(e1) M wsi, ples) 


0 if BN AN (in(e,)\TUS)) 49 
wsia pler rts €2) = 4 (LN wstg Ba(tuout(e,))(€1)) U (J 2 wst 4 Bal suout(es))(€2)) 
otherwise 


wst4 p(T(e)) = wsi aur,p(e) 

wsi a.p(ple)) = pl wsiy-scayp-1(B)(€)) 
wst4 p(€1||e2) = wsig g(e1) U wsig g (es) 
wst4 p(X) = wsia p(E(X)) 


Table A.3: Definition of wsi for DIOA. wsi(e) = wsig 9(e) 
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wso,4 p(nil) = 


wso0(Q) = out(Q)\A 


) if AN BN in(nil) = 9 
out(nil)\A otherwise 


out(e)\A if Bn An {a} 40 


wso, p(@.e) = 


{al nout(e) if BN AN{a}=OandagA 
wsoga(e) if BN ANfa}=Oandaec ANB 


0 if BN An {a} =@ and ac A\B 


wso4 p(€1 ® €2) = wso4 p(€1) U wso, p(€r) 


W804 Br(Tuout(e,))(€1) U W804 Ba(suout(es) (€2) If BON ANTUS=9 


ws0a,p(er ry €2) = out(e,)\A 
wso 4 p(Tr(€)) = wsegur,pur(€) 
ws0o 4,B(p(€)) = p(ws0p-1(4),9-1(8)(€)) 


wso 4 4(€1) U wso,4 4(€2) 
ws0 4 p(€1||€2) = 


wso4 p(X) = wso4 p(E(X)) 


otherwise 


if da € BN A: a € aets(e,)\ert(e.) 
or a € acts(e€z)\ext(e; ) 
wso, p(€1) U wso4 p(€2) otherwise 


Table A.4: Definition of wso for DIOA wso(e) = wsog g(€) 


localen(nil) = 0 
localen(a.e) = {a} M out(e) 
localen(e, ) 
localen(e, ;+ 7 € 
localen(t;(e)) = localen(e) 
localen(p(e)) = p(localen(e 
localen(e,||e2) = localen(e, 
( 


localen 


quiet 


) 
) 


) 


U localen(é2) 


) = localen( E( X )) 
inten(e) = true iff {7} € localen(e) 
(e) = true iff localen(e) = 0 


Table A.5: Definition of localen, inten and quiet 


104 


renaming axioms 


pi(pr2(€)) =a pre pale) 

p(Tr(€)) =e To (p(e)) if p! extends p 

plellf) =o eleylles) 

parallel axioms 

ellf =a flle 

(ell/)llg =o ell Fla) 

Qs, ||nils, Co Qs,|\nils, if (owt(S,) C out(Sy)) A ((in(S2)  in($4)) V out( Sy) = 0) 


external choice axioms 

ert; f =a fatre 

(erty f) mrtK 9 =o €rtsuK (f rt+K 9g) 
€=g ertse if Wsi(e) CIUS 


erty f=qleatke\rts fifi CHU 


(not(quiet(e)) A not(inten(e))) V quiet(f) 
eCgerts f 


if JA Wsi(f) CT 


(not(quiet(e)) A not(inten(e))) V quiet(f) 
erty 9 Cg (entkK f)rti9 
quiet( f)) 
erty flge 
quiet( f) 

(extK f)rtrg Co ertig 
€=g erty a.Q if Wsi(e) CI and Wsi(e)N J = 0 


if KN Wsi(f)OI CH 


if Wsi(e) C I and Wsi(e)N J =0 


if Wsi(e) NI C H and AN Wsi(e)NIT=9 


a.e;t+ya.f =qa.(e@ f) ifa € out(e)U(IN J) 


er+; fCge@f where Wsi(e)N Wsi(f) CLUS 


Table A.6: The axioms for DIOA. 
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quiet(e) => quiet(f) A not(inten(e)) A not(inten(f)) 
erty f=qeSf 


a € in(e) V (not( quiet(q)) A not(inten(q))) V quiet(f) f Wsi(g) C K, and 
(a.e;+s f) OG Sq (@.€ +7 f) B(a.e7+K g) {a} IC {a}nk 


ets f =g € nfatts\fa} fifae I\ Wsi( ). 


if Wsi(e)U Wsi( f) CLAS 


quiet f) where Wsi(e) CI 
€ =Q € ito f 


mete Apa 
ert+s 9 =q (€rt+K f)rt+s9 


internal choice axioms 


edDf=aqf Pe 


€=gePe 


a.(edf)=qa.eGa.f 


(e@ fl rts 9 =e (erts g) B(f rts 9) 
Tre @ f) =a Trle) 8 Tr(f) 

(e@ lly =e (ell) 6 FIlg) 
eEge@f 


hiding axioms 


€ =q p(e) if p is the identity function 
trle) Ea T(S) 


T(a.e) Cg Tr(a. f) 


Table A.7: The axioms for DIOA: actions of the form 7; belong to I. 
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Tr(e) Lg Tr(g) 
Tre atkK f) Eg tg atk f) 


Tr(e) Lg TrHi.e #+x f) 
T(t. €) =@ Tre) if Wsi(e) = 0 
T(E ntg?t.f) =9 Tre f) 


quiet(e) 
Te wt0t. f) =Q Te K+K f) 


( 
((Qsq||n#/s, || ---|[nels, lle) =e Tr(Qlle) if Vi<j<n(out( So) 1 in(S;) 1 1)\in(e) # O 
1(Qs,l|nils, || ---[nils,) So Qsorllnelsyrl| ---||nils, vr if Vierenout($o) N in(S;,) NL =O 
( 
(2 


if Wsi(e) C H 


if Wsi(e) C H and Wsi(e) C 


i 


Tr(@.%.€ fajnin(ey tp t.a.€) SQ Tr(a.e) if Wsi(e) = 0 
T(t. (eats flats f) SQ trle ots f) if quiet(f) and Wsi(f) C J 
omega axioms 


P( Qs) =e Qyrs) Mela 


T(Qs) =Q Qs: where S$’ = (in(S), out(S)\L) 
Qs, ||Qs, =g Ns, where $3 is the composition of S; and 55 
expansion axioms 


Let € = Qs, ||n2l,,||---||nils, be of sort S. For each a € out(So) Uin(S) let e, be the state 
that e reaches with action a. Then € =g (Slacout(spjuin(s) 4+ a) ® (Nacin(sy @ + Ca): 


Let e = e€,|le2||---|]en where each e; is of the form 5°, a;; .e;;. For each action a € ezt(e) 
let 
pig {e;;|4:; =a} if a € acts(e;) 
a) fe} otherwise 
Let out(a) be the index j s.t. a is an output action of 7 (0 otherwise) and let 
E- fy if out(a) #0 and Ee) = 9 
{fill--- fp fi € ELV (EL HOA f; =Q)} — otherwise 
Then € =Q Doacent(e)(Lpek, a.f). 


Let e;,0 <2 <n be atomic expressions and, for each action a, let f% be the state that e; 
reaches with action a (e if no state exists). Then ep Coby <;<, & iff, for each action a, 
either ff =¢;,,0<t<nor fi =eor fy Cehipas, Sf. 


Table A.8: The axioms for DIOA. 
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